## MFA functions utilizing provisioning API
# Mar 3rd 2020
function Set-UserMFA
{
<#
.SYNOPSIS
Sets user's MFA settings
.DESCRIPTION
Sets user's MFA settings using Provisioning API
.Parameter AccessToken
Access Token of the user accessing Azure Active Directory to find the given user to get the SID
.Parameter UserPrincipalName
User's principal name.
.Parameter State
State of user's MFA: Disabled, Enabled, or Enforced.
.Parameter StartTime
Remembers devices issued after the given time. Note! Applied only if State equals Enabled or Enfoced.
.Parameter PhoneNumber
User's phone number used for MFA. Must in the following format "+CCC NNNNN" where CCC is country code and NNNN the phone number without leading zero.
.Parameter AlternativePhoneNumber
User's alternative phone number used for MFA. Must in the following format "+CCC NNNNN" where CCC is country code and NNNN the phone number without leading zero.
.Parameter Email
User's phone number used for MFA. Should be correct email address.
.Parameter DefaultMethod
User's default MFA method: PhoneAppNotification, PhoneAppOTP, or OneWaySMS. TwoWayVoiceOffice and TwoWayVoiceMobile won't work in TRIAL tenants.
In audit log: PhoneAppNotification=0, PhoneAppOTP=6, OneWaySMS=7, TwoWayVoiceOffice=5, TwoWayVoiceMobile=2
.Example
PS C:\>$at=Get-AADIntAccessTokenForAADGraph
PS C:\>Set-AADIntUserMFA -AccessToken $at -UserPrincipalName user@company.com -PhoneNumber "+1 123456789" -DefaultMethod PhoneAppNotification
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[String]$AccessToken,
[Parameter(Mandatory=$False)]
$UserPrincipalName,
[Parameter(Mandatory=$False)]
[ValidateSet('Disabled','Enabled','Enforced')]
$State,
[Parameter(Mandatory=$False)]
[ValidateSet('PhoneAppOTP','PhoneAppNotification','OneWaySMS','TwoWayVoiceOffice','TwoWayVoiceMobile')]
$DefaultMethod,
[Parameter(Mandatory=$False)]
[DateTime]$StartTime=(Get-Date),
[Parameter(Mandatory=$False)]
[String]$PhoneNumber,
[Parameter(Mandatory=$False)]
[String]$AlternativePhoneNumber,
[Parameter(Mandatory=$False)]
[String]$Email
)
Process
{
# Validation for phone numbers
function valPho
{
Param([String]$PhoneNumber)
if(![String]::IsNullOrEmpty($PhoneNumber))
{
$regex="^[+]\d{1,3} [1-9]\d{1,11}$" # 1-3 digits (country code), space, non-zero digit, and 1 to 11 digits.
return [regex]::Match($PhoneNumber,$regex).success
}
else
{
return $true
}
}
# Check the phone numbers
if(!((valPho $PhoneNumber) -and (valPho $AlternativePhoneNumber)))
{
Write-Error 'Invalid phone number format! Use the following format: "+CCC NNNNNNN" where CCC is the country code and NNNN the phonenumber without the leading zero.'
return
}
$command="SetUser"
# Get from cache if not provided
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -ClientID "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "https://graph.windows.net"
# Get user name from access token if empty
if([string]::IsNullOrEmpty($UserPrincipalName))
{
$UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
}
# Convert time to text
$startText = $StartTime.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ss+00:00").Replace(".",":")
# Set StrongAuthenticationRequirements
$StrongAuthenticationRequirements=""
if([string]::IsNullOrEmpty($State))
{
$StrongAuthenticationRequirements=''
}
elseif($State -ne "Disabled")
{
$StrongAuthenticationRequirements=@"
$(Add-CElement -Parameter "RelyingParty" -Value "*")
$(Add-CElement -Parameter "RememberDevicesNotIssuedBefore" -Value "$startText")
$(Add-CElement -Parameter "State" -Value "$State")
"@
}
# Set the default method
$StrongAuthenticationMethods=''
if(![String]::IsNullOrEmpty($DefaultMethod))
{
$StrongAuthenticationMethods=@"
$($DefaultMethod.Equals("PhoneAppOTP").ToString().ToLower())
PhoneAppOTP
$($DefaultMethod.Equals("PhoneAppNotification").ToString().ToLower())
PhoneAppNotification
$($DefaultMethod.Equals("OneWaySMS").ToString().ToLower())
OneWaySMS
$($DefaultMethod.Equals("TwoWayVoiceOffice").ToString().ToLower())
TwoWayVoiceOffice
$($DefaultMethod.Equals("TwoWayVoiceMobile").ToString().ToLower())
TwoWayVoiceMobile
"@
}
# Create the body for setting MFA
$request_elements=@"
$StrongAuthenticationMethods
$StrongAuthenticationRequirements
$(Add-CElement -Parameter "AlternativePhoneNumber" -Value "$AlternativePhoneNumber")
$(Add-CElement -Parameter "Email" -Value "$Email")
$(Add-CElement -Parameter "PhoneNumber" -Value "$PhoneNumber")
$(Add-CElement -Parameter "UserPrincipalName" -Value "$UserPrincipalName")
"@
# Create the envelope and call the API
$response=Call-ProvisioningAPI(Create-Envelope $AccessToken $command $request_elements)
# Get the results
$results = Parse-SOAPResponse($Response)
# Return
$results
}
}
# Sets user's MFA app details
# Jun 29th 2020
function Set-UserMFAApps
{
<#
.SYNOPSIS
Sets user's MFA Apps settings
.DESCRIPTION
Sets user's MFA Apps settings using Azure AD Graph
.Parameter AccessToken
Access Token of the user accessing Azure Active Directory to find the given user to get the SID
.Parameter UserPrincipalName
User's principal name.
.Parameter Id
Id of the device.
.Parameter AuthenticationType
Comma separated list of authentication types of the device. For example, "Notification, OTP" or just "OTP".
In audit log: OTP=1, Notification=2.
.Parameter DeviceName
Name of the device
.Parameter DeviceTag
Tag. Usually "SoftwareTokenActivated".
.Parameter DeviceToken
Device token of MFA Authenticator App.
.Parameter NotificationType
Notification type of the app. Can be GCM (notification through app) or Invalid (just OTP).
In audit log: OTP=1, GCM=4
.Parameter OathTokenTimeDrift
Time drift of Oath token in seconds. Should be 0 or close to it.
.Parameter OathSecretKey
Secret key for calculating OTPs.
.Parameter PhoneAppVersion
Version of the app.
.Parameter TimeInterval
Time interval.
.Example
PS C:\>$at=Get-AADIntAccessTokenForAADGraph
PS C:\>Get-AADIntUserMFAApps -AccessToken $at -UserPrincipalName user@company.com
AuthenticationType : Notification, OTP
DeviceName : SM-R2D2
DeviceTag : SoftwareTokenActivated
DeviceToken : APA91...
Id : 454b8d53-d97e-4ead-a69c-724166394334
NotificationType : GCM
OathTokenTimeDrift : 0
OathSecretKey :
PhoneAppVersion : 6.2001.0140
TimeInterval :
AuthenticationType : OTP
DeviceName : NO_DEVICE
DeviceTag : SoftwareTokenActivated
DeviceToken : NO_DEVICE_TOKEN
Id : aba89d77-0a69-43fa-9e5d-6f41c7b9bb16
NotificationType : Invalid
OathTokenTimeDrift : 0
OathSecretKey :
PhoneAppVersion : NO_PHONE_APP_VERSION
TimeInterval :
PS C:\>Set-AADIntUserMFAApps -AccessToken $at -Id 454b8d53-d97e-4ead-a69c-724166394334 -DeviceName "SM-3CPO"
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[String]$AccessToken,
[Parameter(Mandatory=$False)]
[String]$UserPrincipalName,
[Parameter(Mandatory=$True)]
[guid]$Id,
[Parameter(Mandatory=$False)]
[String]$AuthenticationType,
[Parameter(Mandatory=$False)]
[String]$DeviceName,
[Parameter(Mandatory=$False)]
[String]$DeviceTag,
[Parameter(Mandatory=$False)]
[String]$DeviceToken,
[Parameter(Mandatory=$False)]
[ValidateSet('Invalid','GCM')]
[String]$NotificationType,
[Parameter(Mandatory=$False)]
[int]$OathTokenTimeDrift,
[Parameter(Mandatory=$False)]
[String]$OathSecretKey,
[Parameter(Mandatory=$False)]
[String]$PhoneAppVersion,
[Parameter(Mandatory=$False)]
[String]$TimeInterval
)
Process
{
# Get from cache if not provided
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -ClientID "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "https://graph.windows.net"
# Get user name from access token if empty
if([string]::IsNullOrEmpty($UserPrincipalName))
{
$UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
}
# Get user's current configuration and get the app details
$MFAApps = Get-UserMFAApps -UserPrincipalName $UserPrincipalName -AccessToken $AccessToken
# If only one element, add it to array
if(!$MFAApps.Count -gt 0)
{
$MFAApp = $MFAApps
Remove-Variable MFAApps
$MFAApps = @($MFAApp)
}
$found = $false
$pos=0
foreach($app in $MFAApps)
{
if($app.id -eq ($id.ToString()))
{
$found = $true
break
}
$pos++
}
if(!$found)
{
Throw "Authentication app $id not found from user $UserPrincipalName"
}
# Apply the new information
if($AuthenticationType)
{
$MFAApps[$pos].AuthenticationType=$AuthenticationType
}
if($DeviceName)
{
$MFAApps[$pos].DeviceName=$DeviceName
}
if($DeviceTag)
{
$MFAApps[$pos].DeviceTag=$DeviceTag
}
if($DeviceToken)
{
$MFAApps[$pos].DeviceToken=$DeviceToken
}
if($NotificationType)
{
$MFAApps[$pos].NotificationType=$NotificationType
}
if($OathTokenTimeDrift -ne $MFAApps[$pos].OathTokenTimeDrift)
{
$MFAApps[$pos].OathTokenTimeDrift=$OathTokenTimeDrift
}
if($OathSecretKey)
{
$MFAApps[$pos].OathSecretKey=$OathSecretKey
}
if($PhoneAppVersion)
{
$MFAApps[$pos].PhoneAppVersion=$PhoneAppVersion
}
if($TimeInterval)
{
$MFAApps[$pos].TimeInterval=$TimeInterval
}
# Create the body
$body = '{ "strongAuthenticationDetail": {"phoneAppDetails": ['
# We need to reverse so that it doesn't look weird in audit log.
for($a=$MFAApps.count-1; $a -ge 0; $a--)
{
$app=$MFAApps[$a]
$body+="{"
$body += """authenticationType"": ""$($app.AuthenticationType)"","
$body += """deviceName"": ""$($app.DeviceName)"","
$body += """deviceTag"": ""$($app.DeviceTag)"","
$body += """deviceToken"": ""$($app.DeviceToken)"","
$body += """id"": ""$($app.Id)"","
$body += """notificationType"": ""$($app.NotificationType)"","
$body += """oathTokenTimeDrift"": $($app.OathTokenTimeDrift),"
if([string]::IsNullOrEmpty($app.OathSecretKey))
{
$body += """oathSecretKey"": null,"
}
else
{
$body += """oathSecretKey"": ""$($app.oathSecretKey)"","
}
$body += """phoneAppVersion"": ""$($app.PhoneAppVersion)"","
$body += """timeInterval"": $(if([string]::IsNullOrEmpty($app.TimeInterval)){'null'}else{$app.TimeInterval})"
$body += "},"
}
# Strip the last comma
$body=$body.Substring(0,$body.Length-1)
$body += "]}}";
# Set the user agent
$headers=@{
"User-Agent" = ""
}
try
{
# Set app details
$results=Call-GraphAPI -AccessToken $AccessToken -Command "users/$UserPrincipalName" -Method PATCH -Body $body -Headers $headers
}
catch
{
# Get the error
$err = $_.ErrorDetails.Message | ConvertFrom-Json
# Insufficient privileges etc.
if($err.'odata.error'.message.value)
{
Write-Error $err.'odata.error'.message.value
}
else # Other errors
{
$property = $err.'odata.error'.values[0].value
$error = $err.'odata.error'.values[1].value
Write-Error "$($property): $error"
}
}
}
}
# Mar 3rd 2020
# Deprecated old version
function Get-UserMFA2
{
<#
.SYNOPSIS
Gets user's MFA settings
.DESCRIPTION
Gets user's MFA settings using Provisioning API
.Parameter AccessToken
Access Token of the user accessing Azure Active Directory to find the given user to get the SID
.Parameter UserPrincipalName
User's principal name.
.Example
PS C:\>$at=Get-AADIntAccessTokenForAADGraph
PS C:\>Get-AADIntUserMFA -AccessToken $at -UserPrincipalName user@company.com
UserPrincipalName : user@company.com
State : Enforced
PhoneNumber : +1 123456789
AlternativePhoneNumber : +358 123456789
Email : someone@hotmail.com
DefaultMethod : OneWaySMS
Pin :
OldPin :
StartTime :
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[String]$AccessToken,
[Parameter(Mandatory=$False)]
$UserPrincipalName
)
Process
{
# Get the user
$user = Get-UserByUpn -AccessToken $AccessToken -UserPrincipalName $UserPrincipalName
# Get user name from access token if empty
if([string]::IsNullOrEmpty($UserPrincipalName))
{
$UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
}
# Get the details and requirements
$details = $user.StrongAuthenticationUserDetails
$requirements = $user.StrongAuthenticationRequirements
$appDetails = $user.StrongAuthenticationPhoneAppDetails
# Construct the attributes hashtable
$attributes = [ordered]@{
"UserPrincipalName" = $UserPrincipalName
"State" = "Disabled"
"PhoneNumber" = $details.PhoneNumber
"AlternativePhoneNumber" = $details.AlternativePhoneNumber
"Email" = $details.Email
"DefaultMethod" =""
"Pin" = $details.Pin
"OldPin" = $details.OldPin
"StartTime" = $null
}
if(![string]::IsNullOrEmpty($requirements))
{
$attributes["State"]=$requirements.StrongAuthenticationRequirement.State
$attributes["StartTime"]=[DateTime]$requirements.StrongAuthenticationRequirement.RememberDevicesNotIssuedBefore
}
$count=0
foreach($app in $appDetails.StrongAuthenticationPhoneAppDetail)
{
$count++
#$app=$appDetails.StrongAuthenticationPhoneAppDetail
$attributes["App$count-AppAuthenticationType"]=$app.AuthenticationType
$attributes["App$count-AppDeviceId"]=$app.DeviceId
$attributes["App$count-AppDeviceName"]=$app.DeviceName
$attributes["App$count-AppDeviceTag"]=$app.DeviceTag
$attributes["App$count-AppDeviceToken"]=$app.DeviceToken
$attributes["App$count-AppId"]=$app.Id
$attributes["App$count-AppNotificationType"]=$app.NotificationType
$attributes["App$count-AppOathTokenTimeDrift"]=$app.OathTokenTimeDrift
$attributes["App$count-AppPhoneAppVersion"]=$app.PhoneAppVersion
$attributes["App$count-AppTimeInterval"]=$app.TimeInterval
}
# Get the default method
foreach($method in $user.StrongAuthenticationMethods.StrongAuthenticationMethod)
{
if($method.IsDefault.equals("true"))
{
$attributes["DefaultMethod"]=$method.Methodtype
}
}
# Return
New-Object PSObject -Property $attributes
}
}
# Jun 24th 2020
function Get-UserMFA
{
<#
.SYNOPSIS
Gets user's MFA settings
.DESCRIPTION
Gets user's MFA settings using Provisioning API
.Parameter AccessToken
Access Token of the user accessing Azure Active Directory to find the given user to get the SID
.Parameter UserPrincipalName
User's principal name.
.Example
PS C:\>$at=Get-AADIntAccessTokenForAADGraph
PS C:\>Get-AADIntUserMFA -AccessToken $at -UserPrincipalName user@company.com
UserPrincipalName : user@company.com
State : Enforced
PhoneNumber : +1 123456789
AlternativePhoneNumber : +358 123456789
Email : someone@hotmail.com
DefaultMethod : OneWaySMS
Pin :
OldPin :
StartTime :
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[String]$AccessToken,
[Parameter(Mandatory=$False)]
$UserPrincipalName
)
Process
{
# Get from cache if not provided
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -ClientID "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "https://graph.windows.net"
# Get user name from access token if empty
if([string]::IsNullOrEmpty($UserPrincipalName))
{
$UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
}
# Get the user information
$user=Call-GraphAPI -AccessToken $AccessToken -Command "users/$UserPrincipalName" -QueryString "`$select=strongAuthenticationDetail"
# Get the details and requirements
$details = $user.strongAuthenticationDetail.verificationDetail
$requirements = $user.strongAuthenticationDetail.Requirements
$appDetails = $user.strongAuthenticationDetail.PhoneAppDetails
# Construct the attributes hashtable
$attributes = [ordered]@{
"UserPrincipalName" = $UserPrincipalName
"State" = $null
"PhoneNumber" = $details.PhoneNumber
"AlternativePhoneNumber" = $details.AlternativePhoneNumber
"Email" = $details.Email
"DefaultMethod" =""
"Pin" = $details.Pin
"OldPin" = $details.OldPin
"StartTime" = $null
"RelyingParty" = $null
}
# Check if we got details. If so, default the State to Disabled
if($details)
{
$attributes["State"]="Disabled"
}
# Check if we got requirements and update.
if($requirements)
{
$attributes["State"]=$requirements.state
$attributes["StartTime"]=[DateTime]$requirements.rememberDevicesNotIssuedBefore
$attributes["RelyingParty"]=$requirements.relyingParty
}
$attributes["AppDetails"]=Parse-AuthApps -appDetails $appDetails
# Get the default method
foreach($method in $user.strongAuthenticationDetail.methods)
{
if($method.IsDefault -eq "True")
{
$attributes["DefaultMethod"]=$method.Methodtype
}
}
# Return
New-Object PSObject -Property $attributes
}
}
# Jun 30th 2020
function Get-UserMFAApps
{
<#
.SYNOPSIS
Gets user's MFA Authentication App settings
.DESCRIPTION
Gets user's MFA Authentication App settings using Azure AD Graph
.Parameter AccessToken
Access Token of the user accessing Azure Active Directory to find the given user to get the SID
.Parameter UserPrincipalName
User's principal name.
.Example
PS C:\>$at=Get-AADIntAccessTokenForAADGraph
PS C:\>Get-AADIntUserMFAApps -AccessToken $at -UserPrincipalName user@company.com
AuthenticationType : Notification, OTP
DeviceName : SM-R2D2
DeviceTag : SoftwareTokenActivated
DeviceToken : APA91...
Id : 454b8d53-d97e-4ead-a69c-724166394334
NotificationType : GCM
OathTokenTimeDrift : 0
OathSecretKey :
PhoneAppVersion : 6.2001.0140
TimeInterval :
LastAuthTime : 16/08/2020 10.12.17
AuthenticationType : OTP
DeviceName : NO_DEVICE
DeviceTag : SoftwareTokenActivated
DeviceToken : NO_DEVICE_TOKEN
Id : aba89d77-0a69-43fa-9e5d-6f41c7b9bb16
NotificationType : Invalid
OathTokenTimeDrift : 0
OathSecretKey :
PhoneAppVersion : NO_PHONE_APP_VERSION
TimeInterval :
LastAuthTime : 06/08/2019 11.07.05
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[String]$AccessToken,
[Parameter(Mandatory=$False)]
$UserPrincipalName
)
Process
{
# Get from cache if not provided
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -ClientID "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "https://graph.windows.net"
# Get user name from access token if empty
if([string]::IsNullOrEmpty($UserPrincipalName))
{
$UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
}
# Get the user information
$MFAinfo=Get-UserMFA -AccessToken $AccessToken -UserPrincipalName $UserPrincipalName
# Return
return $MFAinfo.AppDetails
}
}
# Generates a new One-Time-Password for MFA with the given secret
# Jun 26th 2020
function New-OTP
{
<#
.SYNOPSIS
Generates a one-time-password (OTP) using the given secret.
.DESCRIPTION
Generates a one-time-password (OTP) using the given secret. Can be used for MFA if the user's secret is known.
.Example
New-AADIntOTP -SecretKey "rrc2 wntz dkbu iikb"
OTP Valid
--- -----
502 109 26s
.Example
New-AADIntOTP -SecretKey "rrc2 wntz dkbu iikb" -Clipboard
OTP copied to clipboard, valid for 28s
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$True)]
[String]$SecretKey,
[switch]$Clipboard
)
Process
{
# Strip the spaces
$SecretKey=$SecretKey.Replace(" ","")
# Get the current time in seconds from 1.1.1970
$now = [int]((Get-Date).ToUniversalTime() -$epoch).TotalSeconds
# Generate the OTP
$OTP = Generate-tOTP -SecretKey $SecretKey -Seconds $now -TimeShift -15
# Copy to clipboard
if($Clipboard)
{
"{0:000000}" -f $OTP | Set-Clipboard
Write-Host "OTP copied to clipboard, valid for $(30-($now % 30))s"
return
}
# Return
$otpFormatted = "{0:000 000}" -f $OTP
return New-Object psobject -Property ([ordered]@{"OTP" = $otpFormatted; "Valid" = "$(30-($now % 30))s"})
}
}
# Generates a new One-Time-Password secret
# Jun 27th 2020
function New-OTPSecret
{
<#
.SYNOPSIS
Generates a one-time-password (OTP) secret.
.DESCRIPTION
Generates a one-time-password (OTP) secret.
.Example
New-AADIntOTPSecret
njny7gdb6tnfihy3
.Example
New-AADIntOTPSecret -Clipboard
OTP secret copied to clipboard.
#>
[cmdletbinding()]
Param(
[switch]$Clipboard
)
Process
{
$RNG = [Security.Cryptography.RNGCryptoServiceProvider]::Create()
[Byte[]]$x=1
for($secret=''; $secret.length -lt 16)
{
$RNG.GetBytes($x);
if([char]$x[0] -clike '[2-7a-z]')
{
$secret+=[char]$x[0]
}
}
# Copy to clipboard
if($Clipboard)
{
$secret | Set-Clipboard
Write-Host "OTP secret copied to clipboard"
return
}
# Return
return $secret
}
}
# Registers an authenticator app
# Jul 1st 2020
function Register-MFAApp
{
<#
.SYNOPSIS
Registers AADInternals Authenticator App or OTP app for the user.
.DESCRIPTION
Registers AADInternals Authenticator App or OTP appfor the user.
Requirements for App:
* AADInternals Authentication app is installed.
* Device Token is copied from the app.
* The user have registered at least one MFA method, e.g. SMS. This is because Access Token creation performs MFA.
* Registration is done through https://mysignins.microsoft.com so "Users can use the combined security information registration experience" MUST be activated for the tenant.
.Example
$deviceToken = "APA91bEGIvk1CCg1VIj_YQ_L8fn59UD6...mvXYxlWM6s90_Ct_fpo7iE3uF8hTb"
PS C:\>Get-AADIntAccessTokenForMySignins -SaveToCache
Tenant User Resource Client
------ ---- -------- ------
9a79b12c-f563-4bdc-9d18-6e6d0d52f73b user@company.com 0000000c-0000-0000-c000-000000000000 19db86c3-b2b9-44cc-b339-36da233a3be2
PS C:\>Register-AADIntMFAApp -DeviceToken -$deviceToken -DeviceName "My MFA App" -Type APP
DefaultMethodOptions : 1
DefaultMethod : 0
Username : user@company.com
TenantId : 9a79b12c-f563-4bdc-9d18-6e6d0d52f73b
AzureObjectId : dce60ee2-d907-4478-9f36-de3d74708381
ConfirmationCode : 1481770594613653
OathTokenSecretKey : dzv5osvdx6dhtly4av2apcts32eqh4bg
OathTokenEnabled : true
.Example
PS C:\>Get-AADIntAccessTokenForMySignins -SaveToCache
Tenant User Resource Client
------ ---- -------- ------
9a79b12c-f563-4bdc-9d18-6e6d0d52f73b user@company.com 0000000c-0000-0000-c000-000000000000 19db86c3-b2b9-44cc-b339-36da233a3be2
PS C:\>Register-AADIntMFAApp -Type OTP
OathSecretKey DefaultMethodOptions DefaultMethod
------------- -------------------- -------------
5bhbqsrb6ft5rxdx 1 0
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[String]$AccessToken,
[Parameter(Mandatory=$False)]
[String]$DeviceToken,
[Parameter(Mandatory=$False)]
[String]$DeviceName="AADInternals",
[ValidateSet("APP","OTP")]
[String]$Type="APP"
)
Begin
{
# Define some variables
$PfPaWs = "PfPaWs.asmx"
$Version = "6.2001.0140" # Don't change this or Android version number. It should match the auth app version.
}
Process
{
try
{
# Get from cache if not provided
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "0000000c-0000-0000-c000-000000000000" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"
}
catch
{
Throw "Access token not found! Call Get-AADIntAccessTokenForMySignins with SaveToCache switch."
}
# Check that DeviceCode exists for APP
if($Type -eq "APP" -and [string]::IsNullOrEmpty($DeviceToken))
{
Throw "Type APP requires DeviceToken"
}
# Phase 1: Get the registration info (url, activation code, session context)
$regInfo = Get-MFAAppRegistrationInfo -AccessToken $AccessToken -Type $Type
if(!$regInfo) {
Throw "Registration failed (phase 1)"
}
if($Type -eq "APP")
{
# Phase 2: Send a new activation request
$actInfo = Send-MFAAppNewActivation -AccessToken $AccessToken -RegistrationInfo $regInfo -DeviceToken $DeviceToken -DeviceName $DeviceName
if(!$actInfo) {
Throw "Registration failed (phase 2)"
}
# Phase 3: Send confirmation
$confResult = Send-MFAAppNewActivationConfirmation -AccessToken $AccessToken -ActivationInfo $actInfo -RegistrationInfo $regInfo
if(!$confResult) {
Throw "Registration failed (phase 3)"
}
}
else
{
$actInfo = New-Object psobject -Property @{ "OathSecretKey" = $regInfo.SecretKey}
}
# Phase 4: Add the device to the user
$verContext = Add-MFAAppAddDevice -AccessToken $AccessToken -RegistrationInfo $regInfo -Type $Type
if(!$verContext) {
Throw "Registration failed (phase 4)"
}
# Phase 5: Get data updates (not needed)
$updates = Verify-MFAAppAddDevice -AccessToken $AccessToken -RegistrationInfo $regInfo -VerificationContext $verContext -Type $Type
if(!$updates) {
Write-Warning "Couldn't get data updates."
}
# Insert data update info to return value
$actInfo | Add-Member -NotePropertyName "DefaultMethodOptions" -NotePropertyValue $updates.DefaultMethodOptions
$actInfo | Add-Member -NotePropertyName "DefaultMethod" -NotePropertyValue $updates.DefaultMethod
# Return
return $actInfo
}
}