Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Support
General FAQs

How can I scan websites integrated with Microsoft Authenticator for MFA?

This document is for:
Invicti Standard, Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

Microsoft Authenticator MFA adds a second layer of security using push notifications, passcodes, or biometrics, via the Microsoft Authenticator app.

Automation of Microsoft Authenticator MFA in DAST Scanner

The use of multi-factor authentication (MFA), particularly with Microsoft Authenticator, significantly enhances identity security by introducing a second layer of verification beyond traditional credentials. However, this added protection presents a notable challenge for dynamic application security testing (DAST) tools and automated web testing frameworks. These tools are typically designed for unattended execution, where any form of manual interaction - such as approving a sign-in request or entering a number or time-based one-time password (TOTP) - disrupts the automation workflow.

This document outlines technical research focused on identifying methods to automate or bypass MFA requirements enforced through Microsoft Authenticator, specifically in the context of DAST scanning. The goal is to enable full end-to-end automation for authenticated DAST scanning.

Auth Flow with Cisco Duo MFA

  • User Login – The user enters their username and password in the application.
  • MFA Challenge – The application requests authentication from Microsoft Entra ID (formerly Azure AD).
  • Push Notification – Microsoft Authenticator sends a push notification to the user’s mobile device.
  • User Approval – The user opens the Microsoft Authenticator app and approves or denies the request.
  • Access Granted – If approved, the application grants access; if denied, authentication fails.

Automation of Microsoft Authenticator MFA in DAST Scanner

The requirement for user interaction with Microsoft Authenticator improves security but creates a challenge for automated web testing and scanning tools. The goal of such tools is to minimize or eliminate the need for manual user intervention. This research explores how to automate MFA handling in a DAST scanner and avoid manual approvals via the Microsoft Authenticator app.

MFA Automation via Microsoft Graph API

Microsoft does not provide an API to programmatically approve MFA push notifications. The Microsoft Graph API allows for initiating authentication requests and checking their status, but manual approval via the Authenticator app is always required for push-based MFA.

MFA Automation without Manual User Intervention

To authenticate without user intervention, the following options are available:

  • Temporary Access Pass (TAP): A one-time or reusable passcode generated via the Microsoft Graph API that allows login without requiring MFA.
  • Conditional Access Policies: Admin-configured policies that exempt specific users, devices, or trusted IPs (such as our cloud scanner) from MFA.
  • TOTP Authentication: Microsoft Authenticator supports time-based one-time passwords (TOTP), which can be used instead of push approvals for automated workflows.

Reverse Engineering of Private APIs

No public or documented private API exists for programmatically approving Microsoft Authenticator MFA push requests. Microsoft does not provide an API endpoint to auto-approve authentication challenges, ensuring MFA approval remains a user-driven process.

Reverse engineering the Microsoft Authenticator app may be technically possible but presents several challenges, including certificate pinning, encrypted communications, and behavioral analysis mechanisms. The app employs TLS certificate pinning, which prevents MITM (Man-in-the-Middle) attacks by rejecting invalid certificates. Additionally, Microsoft implements rate limits, device fingerprinting, and server-side validation, making unauthorized automation difficult. Even if a private API were discovered, its use in production environments is not recommended due to security, compliance, and reliability concerns.

Bypassing MFA for Limited Time (Temporary Access Pass)

Administrators can bypass MFA temporarily using Temporary Access Pass (TAP), which allows users to authenticate without MFA challenges. TAP codes can be generated via the Microsoft Entra Admin Panel or programmatically through the Microsoft Graph API, with expiration set to a single use or a defined duration.

AppSec engineers typically do not have permission to generate TAP codes unless explicitly granted administrative access. TAP generation is restricted to Microsoft Entra administrators and IAM teams to prevent unauthorized MFA circumvention. However, an AppSec engineer may request a TAP from an administrator for security testing or automation purposes.

Bypassing MFA via Conditional Access Policies

Conditional Access Policies in Microsoft Entra ID allow MFA exemptions based on specific criteria such as trusted IP addresses, device compliance, user roles, or risk-based conditions. While AppSec engineers do not typically control these policies, they can request exceptions for security testing, automated scanning, or application assessments. The approval of such exceptions depends on Microsoft Entra administrators.

Conclusion

Microsoft Authenticator MFA cannot be bypassed programmatically through API approvals, but alternative methods exist for automation. Organizations can:

  • Use Conditional Access Policies to exempt specific users, devices, or trusted IPs (such as the scanner’s cloud IP) from MFA.
  • Generate Temporary Access Pass (TAP) codes via the Microsoft Graph API for authentication without requiring MFA approval.
  • Use TOTP authentication instead of push approvals, allowing MFA to be automated within login workflows.

Given the complexities of handling MFA, the most practical solution for automated DAST scanning is to request an exception for our cloud scanner’s IP via Conditional Access Policies on the customer’s side, eliminating the need for MFA. The use of TAP codes could also be a viable option if the individual operating our DAST product has access to obtain TAP credentials from a Microsoft Entra administrator.

One option is to bypass MFA using Conditional Access Policies or TAP codes, while another approach is to use TOTP authentication, which is supported by Microsoft Authenticator. Unlike push notifications, TOTP authentication can be automated (OTP authentication is supported by Invicti products), making it a viable alternative for handling MFA programmatically in security testing.

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports