SecureMFA Support Tools

All support tools for OTP accounts are packaged into Powershell module. Latest Module can be downloaded from Microsoft PowerShellGallery

Install-Module -Name SecureMFA

Post installation steps:

    • SecureMFA_SupportTools.json configuration file located in "C:\Program Files\WindowsPowerShell\Modules\SecureMFA" folder must be updated with your configuration data.

Bellow is a sample of a valid SecureMFA_SupportTools.Json config file:

             "sql_server": "asqlaol1.adatum.labnet",
             "sql_database": "SecureMfaOTP",
             "ui_input_text": "Please enter user's UPN",
             "ui_environment": "MyCompany",
             "encryption_passphrase": "d9GhT=7=Ox8-+LaZ"


Most of the functions for SecureMFA Tools do not require a license. Features which require license are listed below under licensed functions. To use those functions you will require a serial number. License is issued per identity provider for unlimited users.

Functions (No license require)

Show-xOTP  : Shows OTP details for the user
Reset-xOTP : Resets OTP account in SQL database
Set-xOTP : Disables or Enables OTP account for the user
Get-xOTP-Status : Shows OTP accounts status   

Licensed Functions

Get-xHashiCorp_Vault_ClientToken : Retrieves a client token from HashiCorp Vaut



Shows OTP details for a user .

Show-xOTP -upn test1@adatum.labnet -DecryptSecret
Show-xOTP -upn test1@adatum.labnet -DecryptSecret -otpcode 893117


Resets OTP accounts in SQL database.

Reset-xOTP -upn test1@adatum.labnet -HardReset


Command can disable or enable OTP account for the user. To disable a user from logon using MFA you must use -Disable parameter, without this parameter command executes enable user action.

Set-xOTP -upn test4@adatum.labnet -Disable


Command shows OTP accounts overall status. It lists more detailed information when used with parameters.

Get-xOTP-Status -upn test4@adatum.labnet

This command shows OTP account's details for the user.

Get-xOTP-Status -lastlogon

This command shows last logons count for users by date.


Retrieves a client token from HashiCorp Vaut. To get a client token from HashiCorp Vault when it uses OIDC configuration for authentication. You need to executed bellow PS command which will retrieve a client access token when authentication is successful with you Identity Provider. A client token can be used to query HashiCorp Vault API for secrets within delegated scope.

$header = Get-xHashiCorp_Vault_ClientToken

Successful authentication will return an object which can be used to query HasiCorp Vault API endpoint.

Because object has multiple items, you need to use header item number for Headers parameter and query HashiCorp Vaul API for data.

Invoke-RestMethod -Headers $header.Item(2) -Method GET -Uri 'http://hscvault.adatum.labnet:8200/v1/kv/data/testsecret'

You can review a full details of issued token by executing bellow command

($header.Item(1) | ConvertFrom-Json).auth


All provider related logs are stored in Windows Application Event logs.

Windows Application Events:

Source: Secure MFA OTP
Event ID 5550: OTP User Management Events
Event ID 5551: Get user Attribute Events
Event ID 5552: OTP SoftReset Events 
Event ID 5553: OTP HardReset Events 
Event ID 5554: GET OTP List Of Codes Events 
Event ID 5555: Get OTP Time Drift Events
Event ID 5559: System Events

SQL Database Maintenance

Scheduler bellow SQL script to run as weekly job on SQL Server. Script will delete old user records with lastlogon data older than 60 days or value equals NULL .

Delete FROM [SecureMfaOTP].[dbo].[Secrets] WHERE lastlogon < DATEADD(day, -60, GETDATE()) OR lastlogon IS NULL