Forum Discussion
Powershell CMDlets for MFA Settings?
- Feb 13, 2018
You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:
Connect-MsolService $User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethodsWith that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details
You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:
Connect-MsolService $User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethods
With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details
Hi, is there a way to remove the authentication once it's set?
If I by accident enable this on a user, the user is unable to remove the authentication method within Office 365, since it does require minimum one selection.
As shown in your screen shot, those won't appear on a user account that haven't been enabled.
Kind Regards,
Kaspar D.
- Gary LongMar 20, 2020Copper Contributor
Kaspar_Danielsen The simplest method is via portal.azure.com. Navigate to Azure Active Directory->Users, then click Multi-Factor Authentication in the upper menu bar. Search for the username, then select it. You can then click Disable under "quick steps".
If you're using Conditional Access policies to enforce MFA, then the settings above are not used. In this case, you can remove MFA via PowerShell:
#Connect to Azure AD
Connect-MsolService
#Disable MFA for a user $mfa = @() Set-MsolUser -UserPrincipalName User@domain.com -StrongAuthenticationRequirements $mfa
- Kaspar_DanielsenMar 20, 2020Copper Contributor
Hi Gary,
Thank you for taking the time to answer my question.
I'm connected and ran the command. It accepted it, but both options for SMS and Call is still listed. In other words, it didn't make a change for some reason.
I don't use this command or use Office 365 to enable/disable MFA.
Set-MsolUser -UserPricipalName mailto:User@domain.com -StrongAuthenticationRequirements $mfa
When you run this command, it does show 2 or more options for SMS/Call/App etc. I wish to erase those with a command line, since it's not possible to do that manually in the users profile.
$User = Get-MSolUser -UserPrincipalName mailto:User@domain.com
$User.StrongAuthenticationMethodsKind Regards,
Kaspar Danielsen