Need direction on manually rolling my own MSAL (or at least accessing REST APIs) for use with non-standard tooling/languages.

MW 21 Reputation points
2020-08-06T23:50:20.207+00:00

Hello,

I have a client that has moved their internal tools to Azure MFA. We have a couple of 3rd party desktop applications (written by my company) that the client would like to bring under the Azure MFA umbrella.

We previously accomplished this with another MFA vendor using their REST API. The process allowed the application to send an MFA request, have the users' devices receive a "request for approval", then respond to the application.

It appears that all of the available "solutions" make use of a pre-rolled MSAL library. We are, however, not using any of the listed tools/languages (https://video2.skills-academy.com/en-us/azure/active-directory/develop/reference-v2-libraries) and will need to roll our own.

Would anyone be able to point me in the right direction for achieving this with Azure MFA (without having to manually reverse-engineer the existing libraries 🥴)?

Best,

MW

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,439 questions
0 comments
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,456 Reputation points
    2020-08-08T19:00:11.51+00:00

    Duo exposes a REST API while the Microsoft Identity Platforms exposes OAuth2 and SAML enpoints. The closest you will get to "only" initiate MFA and do not receve a token is to use the Authorization Grant Flow which will yield a code only. For MFA to be initiated an appropiate Conditional Accesss policy must apply, Azure AD Security Defaults must be enabled or per user MFA must be enabled.

    You might replace ping querying the OpenID Connect metadata endpoint with a GET request:

    https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

    And you can initiate the Authorization Grant Flow doing a GET request to the following endpoint:

    https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={app id}&response_type=code&scope=.default

    ---
    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,456 Reputation points
    2020-08-07T02:19:32.787+00:00

    Azure MFA is a tool and language agnostic feature that lives in Azure AD. MSAL targets the Microsoft Identity Platform (Azure AD authentication) which exposes OAuth2 and SAML compliant endpoints that can be consumed by any language and/or client/application capable of doing HTTP requests.

    0 comments
  2. MW 21 Reputation points
    2020-08-07T22:09:39.203+00:00

    Hi @alfredo-revilla-msft,

    Thanks for that reply. I do understand. As per the docs (https://video2.skills-academy.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow):

    . . . When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL). . .

    In our case, we simply need to ping the server, initiate MFA, and verify the user responds. No need for a token or anything. In order to achieve this "abbreviated" version, I was hoping for more of a "walk-through" on the specific credential requirements, etc. sort of like those provided by DUO:

    https://www.duosecurity.com/docs/authapi
    https://github.com/duosecurity/duo_api_php/blob/master/src/Auth.php

    . . .without having to dig too deeply. If I must roll up my sleeves and dig in, I'll happily do so, but I figured I'd ask for any quality direction before I blindly waded in. =)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.