Forum Discussion

ABaerst's avatar
ABaerst
Brass Contributor
Feb 13, 2018

Powershell CMDlets for MFA Settings?

Does anyone know if there are Powershell Cmdlets available to allow inspection of a user's MFA settings related to which verification options were configured and which option is considered primary? I am mostly focused on Office 365, but I think that this is an Azure AD question in general.

 

Here's the use case that I am considering. We have a number of Office 365 users with MFA enabled. There was configuration guidance given at setup time, but not all users chose to follow that guidance. Specifically, many chose SMS notification, but our facility is notorious for poor cellular reception. Mobile app is preferred in this environment. In some cases, they deviated from the suggested method intentionally and, other times, unintentionally. This leads to support calls and it would be very useful for the support tech to know up front which methods are configured and which is the user's primary verification method. 

 

I've looked at the Azure AD module, but haven't found what I'm looking for yet.

 

Thanks,

Andy Baerst

  • You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

    Connect-MsolService
    $User = Get-MSolUser -UserPrincipalName user@domain.com
    $User.StrongAuthenticationMethods

    With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

  • You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

    Connect-MsolService
    $User = Get-MSolUser -UserPrincipalName user@domain.com
    $User.StrongAuthenticationMethods

    With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

    • ABaerst's avatar
      ABaerst
      Brass Contributor

      Man, you guys are militant about the "Best Response." I step away for an hour to get a bite to eat and I come back to someone else marking the answer as "Best Response." Ok, alright. I get it. It's all about the Best Response points. Thanks again.

    • Dale Robertson's avatar
      Dale Robertson
      Copper Contributor

      I need a PS script that generates a CSV showing not only if MFA is enabled for all users, but shows the authentication method as well.

       

      Thank You in advance.

      • Gary Long's avatar
        Gary Long
        Copper Contributor

        Try this (has to be done on a per-group basis):

        $filepath = '<your-export-filename>'
        Get-MsolGroupMember -GroupObjectId <the id number of the group> -MemberObjectTypes User -All | Get-MsolUser | Where {$_.UserPrincipalName} | Select UserPrincipalName, DisplayName, Country, Department, Title, @{n="MFA"; e={$_.StrongAuthenticationRequirements.State}}, @{n="Methods"; e={($_.StrongAuthenticationMethods).MethodType}}, @{n="Default Method"; e={($_.StrongAuthenticationMethods).IsDefault}} | Export-Csv -Path $filepath

  • I Found A solution to this :)
    Not a one time bypass, but require user to re-register at next sign-in

     

    # /MWU
    # First connect to your tenant (as you use to do it)
    # Output from my connect tenant function
    # cat function:Connect-O365-PROD

    # Actual Connect-O365-PROD function
    Get-PSSession | Remove-PSSession
    $PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
    #Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
    Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
    Connect-MsolService -Credential $PRODAdminCred
    ##################Forget above if you are Pro :)#######################################


    #Selected user in cloud
    $Userpricipalname = "abc@org.com"

    #Get settings for a user with exsisting auth data
    $User = Get-MSolUser -UserPrincipalName $Userpricipalname
    # Viewing default method
    $User.StrongAuthenticationMethods

     


    # Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
    $m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
    $m1.IsDefault = $false
    $m1.MethodType="OneWaySMS"

    $m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
    $m2.IsDefault = $false
    $m2.MethodType="TwoWayVoiceMobile"


    $m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
    $m3.IsDefault = $false
    $m3.MethodType="PhoneAppOTP"


    $m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
    $m4.IsDefault = $True
    $m4.MethodType="PhoneAppNotification"

    # To set the users default method for doing second factor
    #$m=@($m1,$m2,$m3,$m4)

    # To force user ONLY to re-register without clearing their phonenumber or App shared secret.
    $m=@()

    # Set command to define new settings
    set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m

     

    #Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
    $User = Get-MSolUser -UserPrincipalName $Userpricipalname
    $User.StrongAuthenticationMethods

  • Gary Long's avatar
    Gary Long
    Copper Contributor

    I was provided this command by MS Support:

    Connect-Msolservice

    Get-MsolGroupMember -GroupObjectId <the group object ID> -MemberObjectTypes User | Get-MsolUser | select Userprincipalname -ExpandProperty StrongAuthenticationUserDetails | select UserPrincipalName, AlternativePhoneNumber, Email, PhoneNumber

  • nikollasperes's avatar
    nikollasperes
    Copper Contributor

    Pessoal, boa tarde! 

    Estou precisando criar um script na onde  seja possível alterar os seguintes itens abaixo. Poderiam me ajudar? Estou procurando alguma página para orientação e não achei...

     

    Obrigado!

     

Resources