Configure and test multifactor authentication (MFA) methods
All URIs are relative to
Method | HTTP request | Description |
Get-V2024MFADuoConfig | GET /mfa/duo-web/config | Configuration of Duo MFA method |
Get-V2024MFAKbaConfig | GET /mfa/kba/config | Configuration of KBA MFA method |
Get-V2024MFAOktaConfig | GET /mfa/okta-verify/config | Configuration of Okta MFA method |
Set-V2024MFADuoConfig | PUT /mfa/duo-web/config | Set Duo MFA configuration |
Set-V2024MFAKBAConfig | POST /mfa/kba/config/answers | Set MFA KBA configuration |
Set-V2024MFAOktaConfig | PUT /mfa/okta-verify/config | Set Okta MFA configuration |
Test-V2024MFAConfig | GET /mfa/{method}/test | MFA method's test configuration |
This API returns the configuration of an Duo MFA method.
Param Type | Name | Data Type | Required | Description |
Return type
Code | Description | Data Type |
200 | The configuration of an Duo MFA method. | MfaDuoConfig |
400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
HTTP request headers
- Content-Type: Not defined
- Accept: application/json
# Configuration of Duo MFA method
try {
# Below is a request that includes all optional parameters
# Get-V2024MFADuoConfig
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-V2024MFADuoConfig"
Write-Host $_.ErrorDetails
This API returns the KBA configuration for MFA.
Param Type | Name | Data Type | Required | Description |
Query | AllLanguages | Boolean | (optional) | Indicator whether the question text should be returned in all configured languages * If true, the question text is returned in all languages that it is configured in. * If false, the question text is returned in the user locale if available, else for the default locale. * If not passed, it behaves the same way as passing this parameter as false |
Return type
Code | Description | Data Type |
200 | The configuration for KBA MFA method. | KbaQuestion[] |
400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
HTTP request headers
- Content-Type: Not defined
- Accept: application/json
$AllLanguages = $false # Boolean | Indicator whether the question text should be returned in all configured languages * If true, the question text is returned in all languages that it is configured in. * If false, the question text is returned in the user locale if available, else for the default locale. * If not passed, it behaves the same way as passing this parameter as false (optional)
# Configuration of KBA MFA method
try {
# Below is a request that includes all optional parameters
# Get-V2024MFAKbaConfig -V2024AllLanguages $AllLanguages
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-V2024MFAKbaConfig"
Write-Host $_.ErrorDetails
This API returns the configuration of an Okta MFA method.
Param Type | Name | Data Type | Required | Description |
Return type
Code | Description | Data Type |
200 | The configuration of an Okta MFA method. | MfaOktaConfig |
400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
HTTP request headers
- Content-Type: Not defined
- Accept: application/json
# Configuration of Okta MFA method
try {
# Below is a request that includes all optional parameters
# Get-V2024MFAOktaConfig
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-V2024MFAOktaConfig"
Write-Host $_.ErrorDetails
This API sets the configuration of an Duo MFA method.
Param Type | Name | Data Type | Required | Description |
Body | MfaDuoConfig | MfaDuoConfig | True |
Return type
Code | Description | Data Type |
200 | MFA configuration of an Duo MFA method. | MfaDuoConfig |
400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
HTTP request headers
- Content-Type: application/json
- Accept: application/json
$MfaDuoConfig = @"{
"accessKey" : "qw123Y3QlA5UqocYpdU3rEkzrK2D497y",
"host" : "",
"configProperties" : {
"skey" : "qwERttyZx1CdlQye2Vwtbsjr3HKddy4BAiCXjc5x",
"ikey" : "Q123WE45R6TY7890ZXCV"
"mfaMethod" : "duo-web",
"enabled" : true,
"identityAttribute" : "email"
# Set Duo MFA configuration
try {
$Result = ConvertFrom-JsonToMfaDuoConfig -Json $MfaDuoConfig
Set-V2024MFADuoConfig -V2024MfaDuoConfig $Result
# Below is a request that includes all optional parameters
# Set-V2024MFADuoConfig -V2024MfaDuoConfig $MfaDuoConfig
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Set-V2024MFADuoConfig"
Write-Host $_.ErrorDetails
This API sets answers to challenge questions. Any configured questions omitted from the request are removed from user KBA configuration.
Param Type | Name | Data Type | Required | Description |
Body | KbaAnswerRequestItem | []KbaAnswerRequestItem | True |
Return type
Code | Description | Data Type |
200 | The new KBA configuration for the user. | KbaAnswerResponseItem[] |
400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
HTTP request headers
- Content-Type: application/json
- Accept: application/json
$KbaAnswerRequestItem = @"{
"answer" : "Your answer",
"id" : "c54fee53-2d63-4fc5-9259-3e93b9994135"
}"@ # KbaAnswerRequestItem[] |
# Set MFA KBA configuration
try {
$Result = ConvertFrom-JsonToKbaAnswerRequestItem -Json $KbaAnswerRequestItem
Set-V2024MFAKBAConfig -V2024KbaAnswerRequestItem $Result
# Below is a request that includes all optional parameters
# Set-V2024MFAKBAConfig -V2024KbaAnswerRequestItem $KbaAnswerRequestItem
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Set-V2024MFAKBAConfig"
Write-Host $_.ErrorDetails
This API sets the configuration of an Okta MFA method.
Param Type | Name | Data Type | Required | Description |
Body | MfaOktaConfig | MfaOktaConfig | True |
Return type
Code | Description | Data Type |
200 | MFA configuration of an Okta MFA method. | MfaOktaConfig |
400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
HTTP request headers
- Content-Type: application/json
- Accept: application/json
$MfaOktaConfig = @"{
"accessKey" : "qw123Y3QlA5UqocYpdU3rEkzrK2D497y",
"host" : "",
"mfaMethod" : "okta-verify",
"enabled" : true,
"identityAttribute" : "email"
# Set Okta MFA configuration
try {
$Result = ConvertFrom-JsonToMfaOktaConfig -Json $MfaOktaConfig
Set-V2024MFAOktaConfig -V2024MfaOktaConfig $Result
# Below is a request that includes all optional parameters
# Set-V2024MFAOktaConfig -V2024MfaOktaConfig $MfaOktaConfig
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Set-V2024MFAOktaConfig"
Write-Host $_.ErrorDetails
This API validates that the configuration is valid and will properly authenticate with the MFA provider identified by the method path parameter.
Param Type | Name | Data Type | Required | Description |
Path | Method | String | True | The name of the MFA method. The currently supported method names are 'okta-verify' and 'duo-web'. |
Return type
Code | Description | Data Type |
200 | The result of configuration test for the MFA provider. | MfaConfigTestResponse |
400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
HTTP request headers
- Content-Type: Not defined
- Accept: application/json
$Method = "okta-verify" # String | The name of the MFA method. The currently supported method names are 'okta-verify' and 'duo-web'.
# MFA method's test configuration
try {
Test-V2024MFAConfig -V2024Method $Method
# Below is a request that includes all optional parameters
# Test-V2024MFAConfig -V2024Method $Method
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Test-V2024MFAConfig"
Write-Host $_.ErrorDetails