Forum Discussion
Powershell CMDlets for MFA Settings?
You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:
Connect-MsolService $User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethodsWith that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details
This specific PS command relies upon the Group Object ID which is unique to the specific group. For instance, if you have an All Users group, you would need to provide. It's a number that looks similar to this: af407072-7ae1-4b07-a0ca-6634b7396054
Is it possible to edit the value of the strongauthenticationmethod?
So I want to switch the IsDefault value in my case from PhoneAppOTP to PhoneAppNotification
I was hoping I was just going to be able to use
Set-MsolUser -UserPrincipalName myuser@mycompany.com -StrongAuthenticationMethods phoneappnotification
But this doesn't seem to be the correct methodology. Any guidance would be apprciated
Wish that was so easy.. you could try
Read the current methods set,
Create new object to hold the values as needed
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $true
$m1.MethodType="PhoneAppNotification"
$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="PhoneAppOTP"
$m=@($m1,$m2)
set-msoluser -Userprincipalname "UPN" -StrongAuthenticationMethods $m
You will have try this on few users to see how it works (especially when values are already set).
- Hi Raghuram
This is the exact method I ended up using. Thanks for replyingI Found A solution to this :)
# /MWU
# First connect to your tenant (as you use to do it)
# Output from my connect tenant function
# cat function:Connect-O365-PROD# Actual Connect-O365-PROD function
Get-PSSession | Remove-PSSession
$PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
#Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
Connect-MsolService -Credential $PRODAdminCred
##################Forget above if you are Pro :)#######################################
#Selected user in cloud
$Userpricipalname = "abc@org.com"#Get settings for a user with exsisting auth data
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
# Viewing default method
$User.StrongAuthenticationMethods
# Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="OneWaySMS"$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="TwoWayVoiceMobile"
$m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m3.IsDefault = $false
$m3.MethodType="PhoneAppOTP"
$m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m4.IsDefault = $True
$m4.MethodType="PhoneAppNotification"# To set the users default method for doing second factor
#$m=@($m1,$m2,$m3,$m4)# To force user ONLY to re-register without clearing their phonenumber or App shared secret.
$m=@()# Set command to define new settings
set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m#Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
$User.StrongAuthenticationMethods
