Forum Discussion

ABaerst's avatar
ABaerst
Brass Contributor
Feb 13, 2018
Solved

Powershell CMDlets for MFA Settings?

Does anyone know if there are Powershell Cmdlets available to allow inspection of a user's MFA settings related to which verification options were configured and which option is considered primary? I...
Azure Active Directory (AAD)
Identity Management
microsoft 365
  • Pablo R. Ortiz's avatar
    Pablo R. Ortiz
    Feb 13, 2018

    You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

    Connect-MsolService
$User = Get-MSolUser -UserPrincipalName user@domain.com
    $User.StrongAuthenticationMethods

    With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

Pablo R. Ortiz's avatar
Pablo R. Ortiz
Iron Contributor
Feb 13, 2018

You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

Connect-MsolService
$User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethods

With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

Kaspar_Danielsen's avatar
Kaspar_Danielsen
Copper Contributor
Mar 20, 2020

Pablo R. Ortiz 

 

Hi, is there a way to remove the authentication once it's set?

 

If I by accident enable this on a user, the user is unable to remove the authentication method within Office 365, since it does require minimum one selection.

 

As shown in your screen shot, those won't appear on a user account that haven't been enabled.

 

Kind Regards,
Kaspar D.

  • Gary Long's avatar
    Gary Long
    Copper Contributor
    Mar 20, 2020

    Kaspar_Danielsen The simplest method is via portal.azure.com.  Navigate to Azure Active Directory->Users, then click Multi-Factor Authentication in the upper menu bar.  Search for the username, then select it.  You can then click Disable under "quick steps". 

     

    If you're using Conditional Access policies to enforce MFA, then the settings above are not used.  In this case, you can remove MFA via PowerShell:

     

    #Connect to Azure AD
    Connect-MsolService
    #Disable MFA for a user $mfa = @() Set-MsolUser -UserPrincipalName User@domain.com -StrongAuthenticationRequirements $mfa

     

     

     

    • Kaspar_Danielsen's avatar
      Kaspar_Danielsen
      Copper Contributor
      Mar 20, 2020

      Gary Long 

       

      Hi Gary,

       

      Thank you for taking the time to answer my question.

       

      I'm connected and ran the command. It accepted it, but both options for SMS and Call is still listed. In other words, it didn't make a change for some reason.

       

      I don't use this command or use Office 365 to enable/disable MFA.

      Set-MsolUser -UserPricipalName mailto:User@domain.com -StrongAuthenticationRequirements $mfa

       

      When you run this command, it does show 2 or more options for SMS/Call/App etc. I wish to erase those with a command line, since it's not possible to do that manually in the users profile.

      $User = Get-MSolUser -UserPrincipalName mailto:User@domain.com
      $User.StrongAuthenticationMethods

       

      Kind Regards,
      Kaspar Danielsen

Resources