Forum Discussion
Solved
Powershell CMDlets for MFA Settings?
Does anyone know if there are Powershell Cmdlets available to allow inspection of a user's MFA settings related to which verification options were configured and which option is considered primary? I...
You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:
Connect-MsolService $User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethodsWith that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details
You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:
Connect-MsolService $User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethods
With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details
Hi, is there a way to remove the authentication once it's set?
If I by accident enable this on a user, the user is unable to remove the authentication method within Office 365, since it does require minimum one selection.
As shown in your screen shot, those won't appear on a user account that haven't been enabled.
Kind Regards,
Kaspar D.Kaspar_Danielsen The simplest method is via portal.azure.com. Navigate to Azure Active Directory->Users, then click Multi-Factor Authentication in the upper menu bar. Search for the username, then select it. You can then click Disable under "quick steps".
If you're using Conditional Access policies to enforce MFA, then the settings above are not used. In this case, you can remove MFA via PowerShell:
#Connect to Azure ADConnect-MsolService#Disable MFA for a user $mfa = @() Set-MsolUser -UserPrincipalName User@domain.com -StrongAuthenticationRequirements $mfa
Hi Gary,
Thank you for taking the time to answer my question.
I'm connected and ran the command. It accepted it, but both options for SMS and Call is still listed. In other words, it didn't make a change for some reason.
I don't use this command or use Office 365 to enable/disable MFA.
Set-MsolUser -UserPricipalName User@domain.com -StrongAuthenticationRequirements $mfa
When you run this command, it does show 2 or more options for SMS/Call/App etc. I wish to erase those with a command line, since it's not possible to do that manually in the users profile.
$User = Get-MSolUser -UserPrincipalName User@domain.com
$User.StrongAuthenticationMethodsKind Regards,
Kaspar Danielsen
Can someone help me to export the strong authentication details to a csv file from Azure AD for some users provided through input file.
Thanks in advance
I am using below logic to extract user MFA details and default method configured., We use combined registration SSPR +MFA.
#Define global variable
$Results = New-Object System.Collections.ArrayList
# Get User list from a text file, expect user name as UserPricipalName
$Userlist = get-content d:\users.txt
Write-host "Total $(($Userlist).count) users"
#Checking each user Strong Authentication Method
$Userlist | foreach {
Write-host "Checking user: $($_) MFA status....."
$User = get-msoluser -UserPrincipalName $_
$UserStrongDetails = $User.StrongAuthenticationMethods
$UserStrongDetailsCount =$User.StrongAuthenticationMethods.countIf($UserStrongDetails){
For ($i=0; $i-lt $UserStrongDetailsCount; $i++) {if(($UserStrongDetails[$i].IsDefault) -eq $true) {
$DefaultMethod =$null
$DefaultMethod = $UserStrongDetails[$i].MethodType
break }
}
$Preresult =@{
'AAD-DisplayName' = $user.DisplayName
'AAD-UserPrincipalName' = $user.UserPrincipalName
'AAD-UsageLocation' = $user.UsageLocation
'AAD-MobilePhone' = $user.MobilePhone
'AAD-OfficePhoneNumber' = $user.PhoneNumber
'MFA-Mobile' = $user.StrongAuthenticationUserDetails.PhoneNumber
'MFA-AlternativePhoneNumber' = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
'MFA-Email' = $user.StrongAuthenticationUserDetails.Email
'MFA-DefaultMethod' = $DefaultMethod
}
}
else
{
$DefaultMethod =$null
$Preresult = @{
'AAD-DisplayName' = $user.DisplayName
'AAD-UserPrincipalName' = $user.UserPrincipalName
'AAD-UsageLocation' = $user.UsageLocation
'AAD-MobilePhone' = $user.MobilePhone
'AAD-OfficePhoneNumber' = $user.PhoneNumber
'MFA-Mobile' = "Not-Defined"
'MFA-AlternativePhoneNumber' = "Not-Defined"
'MFA-Email' = "Not-Defined"
'MFA-DefaultMethod' = "Not-Defined"
}}
$Results += New-Object -TypeName PSObject -Property $Preresult
}$Results | Select-Object AAD-DisplayName,AAD-UserPrincipalName,AAD-UsageLocation,AAD-MobilePhone,AAD-OfficePhoneNumber,MFA-Mobile,MFA-AlternativePhoneNumber,MFA-Email,MFA-DefaultMethod | Export-Csv -notypeinformation -Path "d:\AzureMFAUserDetails.csv"
_Sudhish Kumar
- SudhishSkumar, what details will this spit out? Please let me know, I'm trying to extract Users phone numbers they used in registering MFA. I found the same number on 2 different profiles, so i need to do an audit to see how many profiles like this do I have out there.
Thanks
Indira1390 You first have to create your input user list using something like this:
Get-MsolUser -EnabledFilter EnabledOnly -All | Export-csv "C:\downloads\userlist.csv"Then, you can create the MFA details for each user:
$filepath1 = import-csv "C:\downloads\userlist.csv"
$filepath2 = 'C:\downloads\MFA-Results.csv'
ForEach ($item in $filepath1)
{
$user = $item.("UserPrincipalName")
Get-MsolUser -UserPrincipalName $user | Where {$_.UserPrincipalName} | Select UserPrincipalName, DisplayName, Country, Department, Title, @{n="MFA"; e={$_.StrongAuthenticationRequirements.State}}, @{n="Methods"; e={($_.StrongAuthenticationMethods).MethodType}}, @{n="Default Method"; e={($_.StrongAuthenticationMethods).IsDefault}} | Export-Csv -Path $filepath2 -Append
}
I need a PS script that generates a CSV showing not only if MFA is enabled for all users, but shows the authentication method as well.
Thank You in advance.
Here is the script which does exactly what you need
https://docs.microsoft.com/en-us/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/Try this (has to be done on a per-group basis):
$filepath = '<your-export-filename>'
Get-MsolGroupMember -GroupObjectId <the id number of the group> -MemberObjectTypes User -All | Get-MsolUser | Where {$_.UserPrincipalName} | Select UserPrincipalName, DisplayName, Country, Department, Title, @{n="MFA"; e={$_.StrongAuthenticationRequirements.State}}, @{n="Methods"; e={($_.StrongAuthenticationMethods).MethodType}}, @{n="Default Method"; e={($_.StrongAuthenticationMethods).IsDefault}} | Export-Csv -Path $filepathThank You.
So by Group, do you mean all the users must be in some type of GROUP?
[Distro, O365 Group,..]
Man, you guys are militant about the "Best Response." I step away for an hour to get a bite to eat and I come back to someone else marking the answer as "Best Response." Ok, alright. I get it. It's all about the Best Response points. Thanks again.
Best response help other people quickly identify the correct answer in the thread. And yes, they give "points". There's nothing wrong with that. We take the time to test, reproduce scenarios, run cmdlets, take snapshots, etc, and it won't take you a second to (apart from replying) mark the best response.
I have a feeling that there is nothing that I will be able to say that will lighten this exchange. I appreciate your contribution. I appreciate your thoroughness. I thanked you about four seconds after you posted your reply. I liked the post to show my appreciation. I just didn't click on Best Response yet because I didn't know if the thread had run its full course and I didn't want to stop others from answering if they felt inclined to do so. I am not against a point system. I was just being light-hearted with my reply.
Very nice. Thank you.
