Query database for MFA status?
01-17-2019 07:05 PM
Is it possible to query the database for MFA status?
For example........as an institution of higher education, when we initially set up new students, we give them a grace period in which to set up their second factor. I have created a Powershell script that sends them an automatic email as soon as their O365 email account is created, and it outlines what they need to set up, and when the grace period expires.
It would help our department (and the phone call voume) if we could somehow query the database to see if their 2nd factor has been enabled (I believe it is a boolean value in the database if security question and/or mobile number has been configured).
It would be great if I could create a PS script that would query that for new users, and if the value is "false" and they have not set it up, to send them a system generated email to remind them to set it up.
01-18-2019 05:42 AM
Welcome to the Centrify forums.
I think this is an excellent question. The answer varies depending on the MFA mechanisms enabled, but let's take it one by one.
You should not have to query for:
E-mail (step-up) - this is because all you need to make sure the user has a valid email address and the user can leverage this mechanism in the context of the authentication profile.
Mobile Authenticator - this requires an enrolled device. You can query from the device table.
3rd Party RADIUS - this is highly dependent on another system since we only act as a RADIUS client.
- OATH OTP: We provide an "Oath Tokens" centralized facility under Settings > Authentication.
- Security Question: We provide a report under Core Services > Reports > Security; the name is User's security question state. You can leverage the query definition for your script.
I hope this is a good starting point.
01-18-2019 06:57 AM
Thanks for the excellent breakdown on those.
Currently, we require either A) security question, or B) SMS/Phone Call, after their grace period expires, or they are denied access.
I guess more importantly, is is possible to connect to that database through outside sources, such as Powershell??
If I could somehow connect, then I can automate and run the queries through PS..........but didn't know if there was a way to connect to the database for queries.
01-18-2019 11:29 AM
That's absolutely possible!
We even provide PowerShell samples for different operations. Here:
Let's say you wanted to leverage the query I pasted above to use it to determine if a user has set up a security question (or questions). What you need to do is:
- Connect to the platform (e.g interactively)
- Make the query outlined there (and pass the user as a parameter)
- Review the results.
We've covered the basics in some articles (some of them outdated).
Let us know if this makes sense.