Forum Discussion
Disable MFA 14 day grace period?
Hi, Just looking for some advice here... Is it possible to disable/remove the 14 day "grace period" for MFA registration for new users? Premium subscription being used. Customer wants all new u...
# install Graph module before start
# Install-Module Microsoft.Graph -Scope AllUsers -Repository PSGallery -Force
Connect-MgGraph -Scopes "Directory.AccessAsUser.All"
$users = Get-MgUser -All | Select-Object UserPrincipalName, Id
# getting list of not enabled MFA users
$usersWithoutMfa = @()
foreach ($user in $users) {
$userId = $user.Id
$userUPN = $user.UserPrincipalName
Write-Host "Checking MFA status for user: $userUPN" -ForegroundColor Yellow
# Fetch the user's MFA status
$mfaStatus = Invoke-MgGraphRequest -Method GET -Uri "/beta/users/$userId/authentication/requirements"
$mfaStatus.perUserMfaState
# Check if MFA is already enabled
if ($mfaStatus.perUserMfaState -in @('enabled','enforced')) {
Write-Host "MFA is already enabled for user: $userUPN" -ForegroundColor Green
} else {
Write-Host "MFA is not enabled for user: $userUPN. Enabling now..." -ForegroundColor Red
$usersWithoutMfa+=$user
}
}
$usersWithoutMfa.count
$usersWithoutMfa.UserPrincipalName
# Set MFA
# Go through each user and enable MFA
foreach ($user in $usersWithoutMfa) {
$userId = $user.Id
$userUPN = $user.UserPrincipalName
Write-Host "Enabling MFA for user: $userUPN" -ForegroundColor Green
# MFA status
$body = @{
"perUserMfaState" = "enabled"
}
# Invoke the request to update MFA status
Invoke-MgGraphRequest -Method PATCH -Uri "/beta/users/$userid/authentication/requirements" -Body $body
}
Write-Host "MFA status has been enabled for all users." -ForegroundColor CyanOr use some powershell script like this to get a list of not MFA enabled users and enable MFA for them