Unable to MFA on aws-azure-login using MS Authenticator app

[clouduser27]

The recent changes to the Microsoft Authenticator app have made it difficult to authenticate when using the aws-azure-login container or without a GUI mode. This is because the MS MFA process now requires users to enter a number displayed on the screen in the authenticator app to validate. However, the terminal does not have a GUI mode and therefore unable to see the number and cannot complete the MFA process.

 docker run --rm -it -v ~/.aws:/root/.aws sportradar/aws-azure-login
 Logging in with profile 'default'...
 Using AWS SAML endpoint https://signin.aws.amazon.com/saml
 Username: EnterUsername
 Password: [hidden]
 Open your Authenticator app, and enter the number shown to sign in.​​

After a brief period, although I don't see any numbers displayed on the terminal

We sent an identity verification request to your mobile device, but you denied it.

The profile setting for MFA is

Default sign-in method: Authenticator app or hardware token - code

I have since tried using Twilio Authy as my MFA app and it works fine. But however, the organization standard is MS Authenticator and therefore I would like to know if there are any workarounds for this issue.

[gfrid]

MS has rolled out changes, it happened in my Org also, as workaround we route traffic to tunnel instead split tunnel in our VPN

[gfrid]

This program is useless now, if its not updated than we need to find other solution
https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match
"Beginning May 8, 2023, number matching is enabled for all Authenticator push notifications. As relevant services deploy, users worldwide who are enabled for Authenticator push notifications will begin to see number matching in their approval requests. Users can be enabled for Authenticator push notifications either in the Authentication methods policy or the legacy multifactor authentication policy if Notifications through mobile app is enabled."

[clarivatebrad]

Still working OK, using the Node module installed locally in an NVM bin:

[~]$ ./node_modules/.bin/aws-azure-login --no-sandbox --profile production
(node:28873) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
Unknown profile 'production'. You must configure it first with --configure.
[~]$ ./node_modules/.bin/aws-azure-login --no-sandbox --profile production --configure
Configuring profile 'production'
(node:28900) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
? Azure Tenant ID: **TENANT**
? Azure App ID URI: https://signin.aws.amazon.com/saml#3
? Default Username: **EMAIL**
? Stay logged in: skip authentication while refreshing aws credentials (true|false) true
? Default Role ARN (if multiple): **ROLE**
? Default Session Duration Hours (up to 12): 8
Profile saved.
[~]$ ./node_modules/.bin/aws-azure-login --no-sandbox --profile production
(node:31472) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
Logging in with profile 'production'...
Using AWS SAML endpoint https://signin.aws.amazon.com/saml
? Password: [hidden]
Open your Authenticator app, and enter the number shown to sign in.​​
95
Assuming role **ROLE**

I had no end of trouble until I worked out the right app ID URI to use - https://signin.aws.amazon.com/saml#3

[clouduser27]

Still working OK, using the Node module installed locally in an NVM bin:

[~]$ ./node_modules/.bin/aws-azure-login --no-sandbox --profile production
(node:28873) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
Unknown profile 'production'. You must configure it first with --configure.
[~]$ ./node_modules/.bin/aws-azure-login --no-sandbox --profile production --configure
Configuring profile 'production'
(node:28900) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
? Azure Tenant ID: **TENANT**
? Azure App ID URI: https://signin.aws.amazon.com/saml#3
? Default Username: **EMAIL**
? Stay logged in: skip authentication while refreshing aws credentials (true|false) true
? Default Role ARN (if multiple): **ROLE**
? Default Session Duration Hours (up to 12): 8
Profile saved.
[~]$ ./node_modules/.bin/aws-azure-login --no-sandbox --profile production
(node:31472) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
Logging in with profile 'production'...
Using AWS SAML endpoint https://signin.aws.amazon.com/saml
? Password: [hidden]
Open your Authenticator app, and enter the number shown to sign in.​​
95
Assuming role **ROLE**

I had no end of trouble until I worked out the right app ID URI to use - https://signin.aws.amazon.com/saml#3

This is clearly not using the aws-azure-login container image.

[clarivatebrad]

The recent changes to the Microsoft Authenticator app have made it difficult to authenticate when using the aws-azure-login container or without a GUI mode.

This is, however, clearly using the module without a GUI. It works. If it's only the Docker image you're concerned with then you need to state that.

[gfrid]

from what i tested it seems that issue is only on some mobile devices, seen issue with Pixel and Xiaomi, Samsung was able to work without gui in CLI mode and presented 2 digits and passed the push notification.
I tend to think its some kind a problem in the MS Auth App itself. @clouduser27 shows that 2 digits are presented, so seems that tool does support this method.

[dys152]

I had the same issue in docker on WSL2 following the number matching being enabled on Authenticator in that the docker container doesn't display the number for the authentication process. As I'm on Windows 11, Linux GUI apps are enabled by default to am able to use X passthrough using the following (in case it helps anyone else):

docker run --rm -it -v ~/.aws:/root/.aws -e DISPLAY="$DISPLAY" -v /tmp/.X11-unix:/tmp/.X11-unix sportradar/aws-azure-login --profile=production --mode gui

[jghal]

@gfrid the application itself supports the MFA number check, per #266, but when this project was rebranded from sportradar to this org, they didn't keep up with publishing new Docker images. A maintainer in #266 asked for a PR to fix the Docker build, so I opened #304 with the changes that let me build an image locally to get unblocked, but it appears nobody is maintaining this repo any more. Though @dys152 solution of mounting the X socket to do GUI mode is pretty snazzy, that sportradard/aws-azure-login image is using old version of the application code.