Azure Active Directory multi-factor check for authorization

0
votes

We have requirements to enable MFA to check specific business flows. It means that a user can log in without MFA and do some stuff, but some flows will require MFA verification.

For example, a user can create a policy, but he cannot edit, delete policies without MFA.

We use Azure Active Directory and OpenID Connect for authentication/authorization.

I have checked if there are any options in Graph API for such things, but haven't found anything like this.

Could you please recommend or advice about possible options to implement such requirements?

1
azureazure-active-directorymulti-factor-authentication
My answer here might help stackoverflow.com/a/51824130/1658906. You can require MFA with that. Then you can check the token that it contains e.g. "amr":["pwd", "mfa"] - juunas
@JoeCai, thank you for your help. We can close this topic, your proposal looks the best what I could find - Anuar Nurmakanov

1 Answers

1
votes

As junnas said, add amr_values=ngcmfa to the authorization URL to force MFA and then decoded the token which will contain "amr": ["pwd","mfa"]

https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxxxxxxxxxxxxx
&response_type=id_token
&redirect_uri=https://localhost:123
&response_mode=fragment
&scope=https://graph.microsoft.com/v1.0/me
&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7
&amr_values=ngcmfa