Forum Discussion
Powershell CMDlets for MFA Settings?
Does anyone know if there are Powershell Cmdlets available to allow inspection of a user's MFA settings related to which verification options were configured and which option is considered primary? I am mostly focused on Office 365, but I think that this is an Azure AD question in general.
Here's the use case that I am considering. We have a number of Office 365 users with MFA enabled. There was configuration guidance given at setup time, but not all users chose to follow that guidance. Specifically, many chose SMS notification, but our facility is notorious for poor cellular reception. Mobile app is preferred in this environment. In some cases, they deviated from the suggested method intentionally and, other times, unintentionally. This leads to support calls and it would be very useful for the support tech to know up front which methods are configured and which is the user's primary verification method.
I've looked at the Azure AD module, but haven't found what I'm looking for yet.
Thanks,
Andy Baerst
You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:
Connect-MsolService $User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethodsWith that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details
- Pablo R. OrtizSteel Contributor
You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:
Connect-MsolService $User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethodsWith that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details
- ABaerstBrass Contributor
Man, you guys are militant about the "Best Response." I step away for an hour to get a bite to eat and I come back to someone else marking the answer as "Best Response." Ok, alright. I get it. It's all about the Best Response points. Thanks again.
- Pablo R. OrtizSteel Contributor
Best response help other people quickly identify the correct answer in the thread. And yes, they give "points". There's nothing wrong with that. We take the time to test, reproduce scenarios, run cmdlets, take snapshots, etc, and it won't take you a second to (apart from replying) mark the best response.
- ABaerstBrass Contributor
Very nice. Thank you.
- Dale RobertsonCopper Contributor
I need a PS script that generates a CSV showing not only if MFA is enabled for all users, but shows the authentication method as well.
Thank You in advance.
- Gary LongCopper Contributor
Try this (has to be done on a per-group basis):
$filepath = '<your-export-filename>'
Get-MsolGroupMember -GroupObjectId <the id number of the group> -MemberObjectTypes User -All | Get-MsolUser | Where {$_.UserPrincipalName} | Select UserPrincipalName, DisplayName, Country, Department, Title, @{n="MFA"; e={$_.StrongAuthenticationRequirements.State}}, @{n="Methods"; e={($_.StrongAuthenticationMethods).MethodType}}, @{n="Default Method"; e={($_.StrongAuthenticationMethods).IsDefault}} | Export-Csv -Path $filepath
- Micki WulffeldBrass Contributor
I Found A solution to this :)
Not a one time bypass, but require user to re-register at next sign-in# /MWU
# First connect to your tenant (as you use to do it)
# Output from my connect tenant function
# cat function:Connect-O365-PROD# Actual Connect-O365-PROD function
Get-PSSession | Remove-PSSession
$PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
#Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
Connect-MsolService -Credential $PRODAdminCred
##################Forget above if you are Pro :)#######################################
#Selected user in cloud
$Userpricipalname = "abc@org.com"#Get settings for a user with exsisting auth data
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
# Viewing default method
$User.StrongAuthenticationMethods
# Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="OneWaySMS"$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="TwoWayVoiceMobile"
$m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m3.IsDefault = $false
$m3.MethodType="PhoneAppOTP"
$m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m4.IsDefault = $True
$m4.MethodType="PhoneAppNotification"# To set the users default method for doing second factor
#$m=@($m1,$m2,$m3,$m4)# To force user ONLY to re-register without clearing their phonenumber or App shared secret.
$m=@()# Set command to define new settings
set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m#Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
$User.StrongAuthenticationMethods- ManishKKuttyCopper ContributorDo we have option to change the Phone number under Authentication tab from powershell ?
- Micki WulffeldBrass Contributor
No Sadly there still no powershell way to update the Authentication Phone / info directly. ManishKKutty
Se the uservoice here:
- AntDigiCopper Contributor
Micki Wulffeld - thanks for this.
Does anyone know if it is possible to retain SMS as a unusable authentication method for a user when switch from SMS to PhoneAppOTP/PhoneAppNotification via Powershell?
At the moment when a new default sign in method (other than SMS) is defined via set-msol command it disables two-step verification for SMS rendering it void as a alternative authentication method until the user reactivates it via mysignins.microsoft.com/security-info.
- Gary LongCopper Contributor
I was provided this command by MS Support:
Connect-Msolservice
Get-MsolGroupMember -GroupObjectId <the group object ID> -MemberObjectTypes User | Get-MsolUser | select Userprincipalname -ExpandProperty StrongAuthenticationUserDetails | select UserPrincipalName, AlternativePhoneNumber, Email, PhoneNumber
- nikollasperesCopper Contributor
Pessoal, boa tarde!
Estou precisando criar um script na onde seja possível alterar os seguintes itens abaixo. Poderiam me ajudar? Estou procurando alguma página para orientação e não achei...
Obrigado!