Web app for registering user phone numbers for Multi-Factor Authentication in Azure Active Directory externally.
This app allows users to add a phone number for MFA without MFA.
This app consists of a frontend application and REST API endpoints.
The frontend application, running on user browsers, is
coded in JavaScript (ES6: ECMAScript 2015)
using React.
The REST API endpoints are provided by a server-side application
implemented in Ruby using Sinatra,
which calls Microsoft Graph API to add and update a phone number to a user.
Caution: You MUST protect this app with some user authentication by means other than Azure AD.
- Web browsers supporting ES6
- Ruby >= 2.7
- Node.js >= 14.0.0
Register an application in the Azure portal
and grant it UserAuthenticationMethod.ReadWrite.All
permission,
for the server-side applicaiton to access Microsoft Graph API.
You need either a certificate assertion or a client secret
as a credential for application authentication.
For computing a client assertion for a certificate,
you can use msidp-cert2assertion
command in msidp-endpoint gem.
See Microsoft documents, for details of application registration.
Ref:
- Quickstart: Register an application with the Microsoft identity platform
- Quickstart: Configure a client application to access a web API
- Checkout this repository.
git clone https://github.com/simayosi/aad-authphone-reg cd aad-authphone-reg
- Build the frontend application.
cd app; yarn build
- Upload files under
app/build
to your web server. - Upload files under
api
to your web server. - Install required ruby gems in the directory you copied
api
on your server.bundle install
- Configure your web server to route
/api
to the port9292
. - Start the server-side application as an HTTP server with required environment variables.
export MSGRAPH_TENANT=yourtenant.onmicrosoft.com # tenant ID export MSGRAPH_CLIENT_ID=client_ID # assigned application (client) ID export MSGRAPH_CLIENT_ASSERTION=JWT_assertion_string # in certificate assertion case export MSGRAPH_CLIENT_SECRET=client_secret # in client secret case bundle exec rackup
- Start your web server.
This sample is for test purposes only.
Create app_config.rb
file in api
directory on your server.
app.use Rack::Auth::Basic do true end
Configure your nginx.
http {
server {
...
location / {
root /path/to/uploaded/build/directory;
index index.html;
auth_basic "Authentication required";
auth_basic_user_file htpasswd;
}
...
location /api/ {
proxy_pass http://localhost:9292/;
}
}
}
See app/README.md and api/README.md.