Does anyone know if there are Powershell Cmdlets available to allow inspection of a user's MFA settings related to which verification options were configured and which option is considered primary? I am mostly focused on Office 365, but I think that this is an Azure AD question in general. Here's the use case that I am considering. We have a number of Office 365 users with MFA enabled. There was configuration guidance given at setup time, but not all users chose to follow that guidance. Specifically, many chose SMS notification, but our facility is notorious for poor cellular reception. Mobile app is preferred in this environment. In some cases, they deviated from the suggested method intentionally and, other times, unintentionally. This leads to support calls and it would be very useful for the support tech to know up front which methods are configured and which is the user's primary verification method. I've looked at the Azure AD module, but haven't found what I'm looking for yet. Thanks, Andy Baerst

You have the information in the Get-MSolUser cmdlet from MSOnline powershell module: Connect-MsolService $User = Get-MSolUser -UserPrincipalName user@domain.com$User.StrongAuthenticationMethods With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

Powershell CMDlets for MFA Settings? | Microsoft Community Hub

nikollasperes
Copper Contributor
Apr 28, 2021
Pessoal, boa tarde!
Estou precisando criar um script na onde seja possível alterar os seguintes itens abaixo. Poderiam me ajudar? Estou procurando alguma página para orientação e não achei...

Obrigado!
Micki Wulffeld
Brass Contributor
Jan 03, 2019
I Found A solution to this :)
Not a one time bypass, but require user to re-register at next sign-in

# /MWU
# First connect to your tenant (as you use to do it)
# Output from my connect tenant function
# cat function:Connect-O365-PROD
# Actual Connect-O365-PROD function
Get-PSSession | Remove-PSSession
$PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
#Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
Connect-MsolService -Credential $PRODAdminCred
##################Forget above if you are Pro :)#######################################

#Selected user in cloud
$Userpricipalname = "abc@org.com"
#Get settings for a user with exsisting auth data
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
# Viewing default method
$User.StrongAuthenticationMethods

# Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="OneWaySMS"
$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="TwoWayVoiceMobile"

$m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m3.IsDefault = $false
$m3.MethodType="PhoneAppOTP"

$m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m4.IsDefault = $True
$m4.MethodType="PhoneAppNotification"
# To set the users default method for doing second factor
#$m=@($m1,$m2,$m3,$m4)
# To force user ONLY to re-register without clearing their phonenumber or App shared secret.
$m=@()
# Set command to define new settings
set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m

#Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
$User.StrongAuthenticationMethods
- AntDigi
  Copper Contributor
  Mar 05, 2021
  Micki Wulffeld - thanks for this.
  
  Does anyone know if it is possible to retain SMS as a unusable authentication method for a user when switch from SMS to PhoneAppOTP/PhoneAppNotification via Powershell?
  
  At the moment when a new default sign in method (other than SMS) is defined via set-msol command it disables two-step verification for SMS rendering it void as a alternative authentication method until the user reactivates it via mysignins.microsoft.com/security-info.
- ManishKKutty
  Copper Contributor
  Jul 12, 2019
  Do we have option to change the Phone number under Authentication tab from powershell ?
  - Micki Wulffeld
    Brass Contributor
    Jul 12, 2019
    No Sadly there still no powershell way to update the Authentication Phone / info directly. ManishKKutty
    
    Se the uservoice here:
    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/14795625-authentication-phone?tracking_code=cf9e1592ed0a22ed3965812d156fdef5
Gary Long
Copper Contributor
Mar 30, 2018
I was provided this command by MS Support:

Connect-Msolservice

Get-MsolGroupMember -GroupObjectId <the group object ID> -MemberObjectTypes User | Get-MsolUser | select Userprincipalname -ExpandProperty StrongAuthenticationUserDetails | select UserPrincipalName, AlternativePhoneNumber, Email, PhoneNumber
Pablo R. Ortiz
Steel Contributor
Feb 13, 2018
You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

Connect-MsolService $User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethods

With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details
- Kaspar_Danielsen
  Copper Contributor
  Mar 20, 2020
  Pablo R. Ortiz
  
  Hi, is there a way to remove the authentication once it's set?
  
  If I by accident enable this on a user, the user is unable to remove the authentication method within Office 365, since it does require minimum one selection.
  
  As shown in your screen shot, those won't appear on a user account that haven't been enabled.
  
  Kind Regards,
  Kaspar D.
  - Gary Long
    Copper Contributor
    Mar 20, 2020
    Kaspar_Danielsen The simplest method is via portal.azure.com. Navigate to Azure Active Directory->Users, then click Multi-Factor Authentication in the upper menu bar. Search for the username, then select it. You can then click Disable under "quick steps".
    
    If you're using Conditional Access policies to enforce MFA, then the settings above are not used. In this case, you can remove MFA via PowerShell:
    
    #Connect to Azure AD
    Connect-MsolService
    #Disable MFA for a user $mfa = @() Set-MsolUser -UserPrincipalName User@domain.com -StrongAuthenticationRequirements $mfa
- Indira1390
  Copper Contributor
  Jan 09, 2020
  Can someone help me to export the strong authentication details to a csv file from Azure AD for some users provided through input file.
  
  Thanks in advance
  - SudhishSkumar
    Copper Contributor
    May 11, 2020
    Indira1390
    I am using below logic to extract user MFA details and default method configured., We use combined registration SSPR +MFA.
    
    #Define global variable
    $Results = New-Object System.Collections.ArrayList
    # Get User list from a text file, expect user name as UserPricipalName
    $Userlist = get-content d:\users.txt
    Write-host "Total $(($Userlist).count) users"
    #Checking each user Strong Authentication Method
    $Userlist | foreach {
    Write-host "Checking user: $($_) MFA status....."
    $User = get-msoluser -UserPrincipalName $_
    $UserStrongDetails = $User.StrongAuthenticationMethods
    $UserStrongDetailsCount =$User.StrongAuthenticationMethods.count
    If($UserStrongDetails){
    For ($i=0; $i-lt $UserStrongDetailsCount; $i++) {if(($UserStrongDetails[$i].IsDefault) -eq $true) {
    $DefaultMethod =$null
    $DefaultMethod = $UserStrongDetails[$i].MethodType
    break }
    }
    
    $Preresult =@{
    'AAD-DisplayName' = $user.DisplayName
    'AAD-UserPrincipalName' = $user.UserPrincipalName
    'AAD-UsageLocation' = $user.UsageLocation
    'AAD-MobilePhone' = $user.MobilePhone
    'AAD-OfficePhoneNumber' = $user.PhoneNumber
    'MFA-Mobile' = $user.StrongAuthenticationUserDetails.PhoneNumber
    'MFA-AlternativePhoneNumber' = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
    'MFA-Email' = $user.StrongAuthenticationUserDetails.Email
    'MFA-DefaultMethod' = $DefaultMethod
    }
    }
    else
    {
    $DefaultMethod =$null
    $Preresult = @{
    'AAD-DisplayName' = $user.DisplayName
    'AAD-UserPrincipalName' = $user.UserPrincipalName
    'AAD-UsageLocation' = $user.UsageLocation
    'AAD-MobilePhone' = $user.MobilePhone
    'AAD-OfficePhoneNumber' = $user.PhoneNumber
    'MFA-Mobile' = "Not-Defined"
    'MFA-AlternativePhoneNumber' = "Not-Defined"
    'MFA-Email' = "Not-Defined"
    'MFA-DefaultMethod' = "Not-Defined"
    }
    }
    
    $Results += New-Object -TypeName PSObject -Property $Preresult
    }
    $Results | Select-Object AAD-DisplayName,AAD-UserPrincipalName,AAD-UsageLocation,AAD-MobilePhone,AAD-OfficePhoneNumber,MFA-Mobile,MFA-AlternativePhoneNumber,MFA-Email,MFA-DefaultMethod | Export-Csv -notypeinformation -Path "d:\AzureMFAUserDetails.csv"
    
    _Sudhish Kumar
- Dale Robertson
  Copper Contributor
  May 31, 2018
  I need a PS script that generates a CSV showing not only if MFA is enabled for all users, but shows the authentication method as well.
  
  Thank You in advance.
  - Michal_Z
    Brass Contributor
    Oct 22, 2020
    Dale Robertson
    Here is the script which does exactly what you need
    https://docs.microsoft.com/en-us/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/

Forum Discussion

Powershell CMDlets for MFA Settings?

Share

Resources