Forum Discussion

ABaerst's avatar
ABaerst
Brass Contributor
Feb 13, 2018
Solved

Powershell CMDlets for MFA Settings?

Does anyone know if there are Powershell Cmdlets available to allow inspection of a user's MFA settings related to which verification options were configured and which option is considered primary? I...
Azure Active Directory (AAD)
Identity Management
microsoft 365
  • Pablo R. Ortiz's avatar
    Pablo R. Ortiz
    Feb 13, 2018

    You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

    Connect-MsolService
$User = Get-MSolUser -UserPrincipalName user@domain.com
    $User.StrongAuthenticationMethods

    With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

Raghuram P's avatar
Raghuram P
Copper Contributor
Dec 05, 2018

Wish that was so easy.. you could try

Read the current methods set,

Create new object to hold the values as needed

$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m1.IsDefault = $true

$m1.MethodType="PhoneAppNotification"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m2.IsDefault = $false

$m2.MethodType="PhoneAppOTP"

$m=@($m1,$m2)

set-msoluser -Userprincipalname "UPN" -StrongAuthenticationMethods $m

You will have try this on few users to see how it works (especially when values are already set).

 

Plantagenet's avatar
Plantagenet
Copper Contributor
Dec 05, 2018
Hi Raghuram

This is the exact method I ended up using. Thanks for replying
  • Micki Wulffeld's avatar
    Micki Wulffeld
    Brass Contributor
    Jan 03, 2019

    I Found A solution to this :)

     

    # /MWU
    # First connect to your tenant (as you use to do it)
    # Output from my connect tenant function
    # cat function:Connect-O365-PROD

    # Actual Connect-O365-PROD function
    Get-PSSession | Remove-PSSession
    $PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
    #Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
    Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
    Connect-MsolService -Credential $PRODAdminCred
    ##################Forget above if you are Pro :)#######################################


    #Selected user in cloud
    $Userpricipalname = "abc@org.com"

    #Get settings for a user with exsisting auth data
    $User = Get-MSolUser -UserPrincipalName $Userpricipalname
    # Viewing default method
    $User.StrongAuthenticationMethods

     


    # Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
    $m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
    $m1.IsDefault = $false
    $m1.MethodType="OneWaySMS"

    $m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
    $m2.IsDefault = $false
    $m2.MethodType="TwoWayVoiceMobile"


    $m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
    $m3.IsDefault = $false
    $m3.MethodType="PhoneAppOTP"


    $m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
    $m4.IsDefault = $True
    $m4.MethodType="PhoneAppNotification"

    # To set the users default method for doing second factor
    #$m=@($m1,$m2,$m3,$m4)

    # To force user ONLY to re-register without clearing their phonenumber or App shared secret.
    $m=@()

    # Set command to define new settings
    set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m

     

    #Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
    $User = Get-MSolUser -UserPrincipalName $Userpricipalname
    $User.StrongAuthenticationMethods