Query database for MFA status?

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 2
Registered: ‎01-26-2017
#1 of 4 346

Query database for MFA status?

Is it possible to query the database for MFA status?

 

For example........as an institution of higher education, when we initially set up new students, we give them a grace period in which to set up their second factor.  I have created a Powershell script that sends them an automatic email as soon as their O365 email account is created, and it outlines what they need to set up, and when the grace period expires.

 

It would help our department (and the phone call voume) if we could somehow query the database to see if their 2nd factor has been enabled (I believe it is a boolean value in the database if security question and/or mobile number has been configured).

It would be great if I could create a PS script that would query that for new users, and if the value is "false" and they have not set it up, to send them a system generated email to remind them to set it up.

 

Any ideas??

Centrify Guru I
Posts: 2,433
Registered: ‎07-26-2012
#2 of 4 335

Re: Query database for MFA status?

@DavidGreer,

 

Welcome to the Centrify forums.

 

I think this is an excellent question.   The answer varies depending on the MFA mechanisms enabled, but let's take it one by one.

 

You should not have to query for:

E-mail (step-up) - this is because all you need to make sure the user has a valid email address and the user can leverage this mechanism in the context of the authentication profile.

Mobile Authenticator - this requires an enrolled device.  You can query from the device table.

3rd Party RADIUS -  this is highly dependent on another system since we only act as a RADIUS client.

 

Others:

  • OATH OTP:  We provide an "Oath Tokens" centralized facility  under Settings > Authentication.
  • Security Question:  We provide a report under Core Services > Reports > Security; the name is User's security question state.    You can leverage the query definition for your script.
    sc-query.png

 

I hope this is a good starting point.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 2
Registered: ‎01-26-2017
#3 of 4 328

Re: Query database for MFA status?

Hi R.P.,

Thanks for the excellent breakdown on those.

Currently, we require either A) security question, or B) SMS/Phone Call, after their grace period expires, or they are denied access.

 

I guess more importantly, is is possible to connect to that database through outside sources, such as Powershell??

If I could somehow connect, then I can automate and run the queries through PS..........but didn't know if there was a way to connect to the database for queries.

 

Centrify Guru I
Posts: 2,433
Registered: ‎07-26-2012
#4 of 4 308

Re: Query database for MFA status?

@DavidGreer,

 

That's absolutely possible!

We even provide PowerShell samples for different operations.  Here:

 

https://github.com/centrify/centrify-samples-powershell

 

Let's say you wanted to leverage the query I pasted above to use it to determine if a user has set up a security question (or questions).  What you need to do is:

 

  1. Connect to the platform (e.g interactively)
  2. Make the query outlined there (and pass the user as a parameter)
  3. Review the results.

 

We've covered the basics in some articles (some of them outdated). 

https://community.centrify.com/t5/TechBlog/Howto-Using-the-PowerShell-Samples-for-Centrify-Infrastru...

 

Let us know if this makes sense.

 

R.P

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: