Ad-Hoc Entra MFA using SMS

bshwjt · February 21, 2025, 8:30am

I am trying to input SMS code into the below script & that is failing .

# Source : https://www.entraneer.com/blog/entra/authentication/transactional-mfa-entra-id
$secret = ""
$email = ""
$tenantId = ""
$clientId = "" # this is the same for everyone
 
Write-Host "Get MFA Client Access Token" -ForegroundColor Cyan
$body = @{
    'resource'      = 'https://adnotifications.windowsazure.com/StrongAuthenticationService.svc/Connector'
    'client_id'     = $clientId
    'client_secret' = $secret
    'grant_type'    = "client_credentials"
    'scope'         = "openid"
}

$mfaClientToken = Invoke-RestMethod -Method post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/token" -Body $body
Write-Host "Done." -ForegroundColor Green

Write-Host "Send MFA challenge to the user" -ForegroundColor Green

$XML = @"
<BeginTwoWayAuthenticationRequest>
    <Version>1.0</Version>
    <UserPrincipalName>$email</UserPrincipalName>
    <Lcid>en-us</Lcid>
    <ContextId>bb07a24c-e5dc-4983-afe7-a0fcdc049cf7</ContextId>
    <SyncCall>true</SyncCall>
    <RequireUserMatch>true</RequireUserMatch>
    <CallerName>radius</CallerName>
    <CallerIP>UNKNOWN:</CallerIP>
    <PreferredAuthenticationMethod>TextMessage</PreferredAuthenticationMethod>
</BeginTwoWayAuthenticationRequest>
"@

$headers = @{ "Authorization" = "Bearer $($mfaClientToken.access_token)" }
$mfaResult = Invoke-RestMethod -Uri 'https://strongauthenticationservice.auth.microsoft.com/StrongAuthenticationService.svc/Connector///BeginTwoWayAuthentication' -Method POST -Headers $Headers -Body $XML -ContentType 'application/xml'
Write-Host "Done."

$mfaChallengeMessage = $mfaResult.BeginTwoWayAuthenticationResponse.Result.Message
Write-Host $mfaChallengeMessage

if ($mfaResult.BeginTwoWayAuthenticationResponse.Result.Value -eq "Success") {
    Write-Host "OTP sent to your phone. Please enter the OTP:" -ForegroundColor Cyan
    $otpCode = Read-Host "Enter the OTP sent via SMS"

    $XML = @"
<ValidatePinRequest>
    <Version>1.0</Version>
    <ContextId>$($mfaResult.BeginTwoWayAuthenticationResponse.ContextId)</ContextId>
    <Pin>$otpCode</Pin>
</ValidatePinRequest>
"@

    $mfaValidationResult = Invoke-RestMethod -Uri 'https://strongauthenticationservice.auth.microsoft.com/StrongAuthenticationService.svc/Connector//ValidatePin' -Method POST -Headers $Headers -Body $XML -ContentType 'application/xml'

    if ($mfaValidationResult.ValidatePinResponse.Result.Value -eq "Success") {
        Write-Host "User: `"$email`" successfully validated SMS OTP" -ForegroundColor Green
    }
    else {
        Write-Warning "Invalid OTP or validation failed"
    }
}
else {
    Write-Warning "MFA Request failed: $($mfaResult.BeginTwoWayAuthenticationResponse.Result.Message)"
}

Error

Get MFA Client Access Token
Done.
Send MFA challenge to the user
Done.

OTP sent to your phone. Please enter the OTP:
                                                  Enter the OTP sent via SMS: 696632
Invoke-RestMethod: C:\Git_Repo\MFA_Test\MFATestWIthKyle\sms.ps1:54:28
Line |
  54 |  … ionResult = Invoke-RestMethod -Uri 'https://strongauthenticationservi …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     |           Service     BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; 
     | } #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; } A:link { color: #336699; font-weight: bold;
     | text-decoration: underline; } A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; } A:active { color:    
     | #336699; font-weight: bold; text-decoration: underline; } .heading1 { background-color: #003366; border-bottom: #336699 6px     
     | solid; color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal;margin: 0em 0em 10px -20px; padding-bottom:    
     | 8px; padding-left: 30px;padding-top: 16px;} pre { font-size:small; background-color: #e5e5cc; padding: 5px; font-family:        
     | Courier New; margin-top: 0px; border: 1px #f0f0e0 solid; white-space: pre-wrap; white-space: -pre-wrap; word-wrap: break-word;  
     | } table { border-collapse: collapse; border-spacing: 0px; font-family: Verdana;} table th { border-right: 2px white solid;      
     | border-bottom: 2px white solid; font-weight: bold; background-color: #cecf9c;} table td { border-right: 2px white solid;        
     | border-bottom: 2px white solid; background-color: #e5e5cc;}                  Service       Endpoint not found.
WARNING: Invalid OTP or validation failed

Below line causing the issue.
$mfaValidationResult = Invoke-RestMethod -Uri ‘https://strongauthenticationservice.auth.microsoft.com/StrongAuthenticationService.svc/Connector//ValidatePin’ -Method POST -Headers $Headers -Body $XML -ContentType ‘application/xml’

bshwjt · February 21, 2025, 8:31am

I am getting the SMS on my Phone and getting error after the input. That is working fine with authenticator app by followed that KB : Trigger Microsoft MFA for specific accounts using Powershell / Rest API | Entra ID (Azure AD)

matt-bloomfield · February 21, 2025, 9:20am

The error would suggest that the URI is incorrect. Where did you find that?

I’m struggling to find documentation on this API, and I can’t find any examples that use ValidatePin.

What’s the use case for this? I can’t help but wonder if there’s a better way.

bshwjt · February 21, 2025, 3:10pm

Thanks Matt for your response. Please have a look that KB & with use-cases. API info. is present there.

matt-bloomfield · February 21, 2025, 3:46pm

I can’t find any reference to ValidatePin on that page, and didn’t spot it in the linked articles. Where are you finding that URI in the sample code?

bshwjt · February 21, 2025, 4:56pm

That code is for Authenticator App which is working fine. I got that API from the same KB & I am trying to do with SMS. Code I already shared.

matt-bloomfield · February 21, 2025, 5:44pm

Your’re not providing the information that I’m asking for. Where, exactly, did you get the URI you’re using in your code:

'https://strongauthenticationservice.auth.microsoft.com/StrongAuthenticationService.svc/Connector//ValidatePin'

This URI is causing the error Service Endpoint not found.

Which suggests to me that the endpoint ValidatePin is wrong because you’ve successfully used the rest of the URL when calling BeginTwoWayAuthentication earlier in the script.

I cannot find ValidatePin in the page you linked, or when clicking through the links to additional resources.

system · March 23, 2025, 5:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Office 365 heath status issue after enabling MFA PowerShell Help	2	246	May 16, 2024
Script Error when using MSOnline module PowerShell Help	3	320	May 16, 2024
INVOKE-RESTMethod Issue (401) PowerShell Help	3	333	May 16, 2024
How to add MFA to an invoke-webrequest script PowerShell Help	4	554	May 16, 2024
Office 365 multiple sessions PowerShell Help	1	164	May 16, 2024

Ad-Hoc Entra MFA using SMS

Related topics