Azure Active Directory MFA (Mobile Text) End To End😎

This article covers the end-to-end scenario for Azure Active Directory MFA ( Mobile Text). Major steps are - configure MFA for Mobile Text, assign MFA to an AAD user, create an application to use this MFA, and enter prompted Mobile Text during login, verify the claim received after successful login.

This article is focussing on real-time usage of AAD MFA in an application rather than explaining what's MFA in Azure AD world. If you need insight into AAD MFA, please have it and then proceed with this article. We have a lot of articles here explaining about AAD MFA. So, let us directly proceed to configure AAD MFA.
 

Create Azure Active Directory and Users

 
We should have an Active Directory in Azure (AAD). You can click "Create a resource" link and then create an Active Directory inside your Azure account. I have existing AAD with a name "jaishmathews" and domain "jaishm.onmicrosoft.com". You can even include your branding logo too during AAD creation. I opted for a small logo for the login page.  Please see image below.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/1.png
.
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/2.png
 
We need a user for which we will target AAD MFA. I created a user "jaish@jaishm.onmicrosoft.com" inside my AAD. I assigned this user a role of "Global Administrator" as I didn't wish to face any permission issue for this article POC. See images below.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/3.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/4.png
 
Now create a temporary password for this user through user profile settings as shown in the below image.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/8.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/9.png
 

Configure Azure Active Directory MFA

 
You can locate the MFA configuration menu in the below image and can also locate the new user we added. You need to click "Multi-factor Authentication" button. A separate window/tab will be opened as the below images are showing and there you need to select the user for which MFA should be enabled. You can see in the below images that I selected the latest user we created and made the MFA status for this user as "Enforced". You can close this window/tab now. Once you open your AAD section, there's an MFA tab for any additional configurations to be done. Please refer to the images below for the values I opted. The phone number I entered there isn't valid and only takes US phone numbers as per documentation. But during application login, the system will prompt for the region and phone number to be considered.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/5.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/6.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/7.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/12.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/13.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/14.png
 
Now an important configuration is in MFA under "Additional cloud-based MFA settings" link, which will tell you what kind of MFA you need. I opted for a mobile text message. Please refer to the images below.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/15.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/16.png
 

Register POC Application in AAD

 
We should register the application in AAD before its AAD integration. After registration, your application will get a unique ID in Azure to be recognized. There's a menu for App registration under AAD. I created a registration "jaishapp". I got an application id/client id, which will be used in my POC application and please notice that for "Redirect URIs", I gave my POC home address i.e. https://localhost:44388.
 
Then I assigned our new user as an owner for this app. Refer to the below images.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/10.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/Untitled.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/11.png
 

Write a Client Application for AAD MFA

 
I have one ASP.NET MVC application which will communicate with above mentioned AAD and through AAD it will execute MFA. My application has the below configuration values to focus. ClientId is the App registration Id I received and RedirectUrl should be the same used during App registration.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/17.png
 
I used OWIN libraries for AAD communication and to receive claims. Below is the code to loop through claim details and display it on a view. We have [Authorize] attribute in each controller class to make sure that each access try will hit our authentication mechanism.
  1. <table class="table table-striped table-bordered table-hover table-condensed">  
  2.    @foreach (var claim in ((System.Security.Claims.ClaimsIdentity)User.Identity).Claims)  
  3.    {  
  4.       <tr><td>@claim.Type</td><td>@claim.Value</td></tr>  
  5.    }  
  6. </table>  
Let's run our application and see that the login page with selected logo on it has appeared. Then it is asking for more information and routing to a page to choose your region and phone number. I entered an Indian mobile number.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/19.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/20.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/28.png
 
I got a text message in my mobile from Microsoft. Then entered that text to the prompted MFA page. Please refer to the below images.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/Screenshot_20190724_231714.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/21.png
 
As the user is logging in for the very first time, a window prompt will appear to reset your password. After this updating, you will be redirected to your home page.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/24.png
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/25.png
 
Let's verify the claim details by clicking "See Your Claim".
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/26.png
 
If the same user logs out and tries to log in again, the steps would be minimal. You will get the below window with an alert that your text message for MFA has been sent for verification.
 
https://www.c-sharpcorner.com/article/azure-active-directory-mfa-mobile-text-end-to-end/Images/27.png
 
The source code for the client application has been uploaded without any configuration keys in it. So, it won't run itself, but you can reference the code in it and once you've created your own configuration keys, you can directly run it and see the results too. As a continuation, you should try other MFA types too, including mobile calling and mobile application code, etc... I hope this article will help you to get to that point.