Implementing MFA for a Mobile Dashboard

Hello, I tried searching for some articles to get some ideas on feasibility… but did not find much so I decided to just ask the question instead. Has anybody had any success building mobile responsive dashboard in PSU that implement some sort of 2FA (specifically microsoft oauth). I could think of a lot of use cases for a mobile dashboard, but would obviously need to have it locked down. If anybody has any examples I’d love to take a look.

Aside from configuring the OIDC connection, there isn’t anything special you need to do in PSU to enable 2FA since that flow is provided by the OIDC provider (like AzureAD). As long as 2FA is configured in your tenant, you’ll have to go through the auth flow when accessing PSU. This also works for other provides like Okta.

More info about configuring OIDC connections with PSU: OpenID Connect - PowerShell Universal

Once you have the OIDC connection enabled, you can turn on Authentication for your dashboards and lock down who has access to them.

I just enabled OpenID Connect and noticed that the code in Authorization.ps1 file is not executing.

Is this by design?

Yeah. That’s by design. authentication.ps1 is only used for forms auth.

Ok. How would we lock down PSU to users in a specific Azure AD Group? Instead of all users in Azure AD

You would use the roles.ps1 to check their group membership. If they don’t fall into any of the built-in groups or have any access controls defined, they won’t be able to access the admin console.

Here’s an example: https://docs.powershelluniversal.com/config/security#example-group-membership-based-on-azure-active-directory

1 Like

in the Azure Enterprise app related to the app registration, you need to go to Properties, and select “User Assignment required”
With this selected only users and groups assigned to the enterprise app or app registration can use it.

Then in the “Users and Groups” add groups and users here.

Back in the app registration, hit the Token Configuration tab, then add groups claim. select the options based on your needs (if you exclusivly want to work with the groups assigned to the app, select Groups assigned to the application)

You can validate by going to the Manifest tab, and look for "groupMembershipClaims": "ApplicationGroup",

You can now build roles using something like:

param(
$User

)

$User.HasClaim("groups", "f6e27845-9b23-4eg7-a0aa-restofID")
1 Like