Skip to main content

Challenge User Identity

Overview

Pia's Challenge User Identity automation and extension automation allows your Service Desk Engineer to authenticate a user before proceeding with their requests. Both built in automation and extension automation support the use of Microsoft Multi-Factor Authentication (MFA) as one of the three methods for secure user verification. The other options include SMS and Email.

This document details how to configure the Microsoft MFA so that it can be used for user identification during automation execution.

info

Pia also offers Challenge User Identity via Duo automation, which you can learn more about by clicking here.

Configuring Microsoft MFA Integration

The first step for the Microsoft MFA configuration is to setup a custom integration for Microsoft MFA in the Integration screen of the Partner Portal.

Follow the steps below to create a custom integration for Microsoft MFA:

Step 1: Go to the Integrations screen and click on 'Custom Integration'. Step 2: Add the following values into the fields:

Tell us about your integration

  • Name: Set a meaningful name such as 'Microsoft MFA'
  • Category: Documentation

How should Pia talk to the App / System?

  • Protocol: Store Secrets For My Custom Automation
  • Integration Fields:
    • Type: Password
    • Name: AppSecret

Integration Variables

  • Toggle ON 'Enable client configuration mode'
  • Toggle ON 'Enable integration variables to use them in your own custom automations'
  • Integration Variable Prefix: microsoft_mfa

Step 3: Once done, Save your settings.

Confirm Delegated Accounts on the Client

The second step for the Microsoft MFA configuration is to ensure Pia can generate Application Secret (AppSecret) values for each client when the automation is running.

In order for Pia to be able to generate the Application Secret, follow the steps below:

Step 1: Go to Clients screen and select a client you wish to run the automation for

Step 2: In the Microsoft Graph API widget, click on the 'Delegate' button

Step 3: Confirm if the client has 'Azure user_impersonation' permission assigned to them

Step 4: If not, click on 'New Consent'

Step 5: Enable the 'Azure user_impersonation' scope and click 'Authorize'

Important

The account that you are using requires the Azure “Application Administrator” role to be able to generate the Application Secret.

Once done, you will be able to find the Microsoft MFA option during the execution of the Challenge User Identity automation and extension automation.