Public/Invoke-MoDMfa.ps1

function Invoke-MoDMfa {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $false)]
        [ValidateSet("EntraId", "AuthPoint")]
        [string] $Provider = "EntraId",
        [Parameter(Mandatory = $true)]
        [string] $TenantId,
        [Parameter(Mandatory = $false, ValueFromPipeline=$true)]
        [PSObject] $Credential,
        [Parameter(Mandatory = $true)]
        [string] $User,
        [Parameter(Mandatory = $false)]
        [ValidateSet("Push","OTP")]
        [string] $Mode = "OTP",
        [Parameter(Mandatory = $false)]
        [string] $Otp,
        [Parameter(Mandatory = $false)]
        [PSObject] $ProviderArgs
    )
    Process {
        try {
            $now = (Get-Date).ToUniversalTime()
            switch ($Provider) {
                "EntraId" {
                    if (-not $script:ModuleSessionData.EntraIdSessions[$TenantId] -or $script:ModuleSessionData.EntraIdSessions[$TenantId].ExpiresAt -lt $now) {
                        if (-not $Credential) {
                            Write-Warning "No active session found, use -Credential [?|X509Certificate|X509Certificate.Thumbprint|SecureString]"
                            return
                        }
                        $auth = Get-EntraMfaAuthToken -TenantId $TenantId -Credential $Credential
                        $script:ModuleSessionData.EntraIdSessions[$TenantId] = @{
                            Token     = $auth.access_token
                            ExpiresAt = $now.AddSeconds($auth.expires_in)
                        }
                    }
                    if ($Mode -eq "OTP") {
                        $mfaResult = Invoke-EntraMfa -TenantId $TenantId -User $User -Mode OTP
                    }
                    else {
                        $mfaResult = Invoke-EntraMfa -TenantId $TenantId -User $User -Mode Push
                    }
                    if ($mfaResult.Result -eq "OK") {
                        Write-Output "Success"
                    }
                    elseif ($mfaResult.Result -eq "KO"){
                        Write-Error "Failure"
                    }
                    elseif ($mfaResult.Result -eq "CHALLENGE") {
                        $Otp = Test-Otp -Otp $Otp
                        $challengeData = $mfaResult
                        Add-Member -InputObject $challengeData -NotePropertyName "OTP" -NotePropertyValue $Otp
                        $mfaChallenge = Invoke-EntraMfa -TenantId $TenantId -User $User -Mode Challenge -Challenge $challengeData
                        if ($mfaChallenge.Result -eq "OK") {
                            Write-Output "Success"
                        }
                        elseif ($mfaChallenge.Result -eq "KO"){
                            Write-Error "Failure"
                        }
                    }
                }
                "AuthPoint" {
                    if (-not $script:ModuleSessionData.AuthPointSessions[$TenantId] -or $script:ModuleSessionData.AuthPointSessions[$TenantId].ExpiresAt -lt $now) {
                        if (-not $Credential) {
                            Write-Warning "No active session found, use the -Credential parameter with a PSCredential object where user is <AuthPoint_rw_access_ID> and password is <AuthPoint_rw_password>."
                            return
                        }
                        $accountId, $resourceId = $TenantId -split ":"
                        if (-not $accountId -or -not $resourceId) {
                            Write-Warning "TenantId format must be <AccountId>:<ResourceId>"
                            return
                        }
                        if (-not $ProviderArgs -or -not $ProviderArgs.Region -or -not $ProviderArgs.ApiKey) {
                            Write-Warning "One or more required properties (Region, ApiKey) on the ProviderArgs object are missing or empty."
                            return
                        }
                        if ($ProviderArgs.Region.Length -ne 3) {
                            Write-Warning "Region format must be xxx where xxx is among AuthPoint region (deu, usa, ...)"
                            return
                        }
                        $auth = Get-AuthPointMfaAuthToken -Credential $Credential -Region $ProviderArgs.Region
                        $script:ModuleSessionData.AuthPointSessions[$TenantId] = @{
                            Token     = $auth.access_token
                            ExpiresAt = $now.AddSeconds($auth.expires_in)
                            ProviderData = @{
                                Region = $ProviderArgs.Region
                                ApiKey = $ProviderArgs.ApiKey
                                AccountId = $accountId
                                ResourceId = $resourceId
                            }
                        }
                    }
                    if ($Mode -eq "OTP") {
                        $Otp = Test-Otp -Otp $Otp
                        $mfaResult = Invoke-AuthPointMfa -TenantId $TenantId -User $User -Mode OTP -OTP $Otp
                    }
                    else {
                        $mfaResult = Invoke-AuthPointMfa -TenantId $TenantId -User $User -Mode Push
                    }
                    if ($mfaResult.Result -eq "OK") {
                        Write-Output "Success"
                    }
                    elseif ($mfaResult.Result -eq "KO"){
                        Write-Error "Failure"
                    }
                }
            }
            return
        }
        catch {
            Write-Error $_.Exception.Message
            return
        }
    }
}