Home

PowerShell to temporarily Disable Azure MFA (while remembering settings)

%3CLINGO-SUB%20id%3D%22lingo-sub-197279%22%20slang%3D%22en-US%22%3EPowerShell%20to%20temporarily%20Disable%20Azure%20MFA%20(while%20remembering%20settings)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-197279%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20occasionally%20need%20to%20disable%20MFA%20temporarily%20for%20users%2C%20only%20to%20turn%20it%20back%20on%20again%20after%20a%20short%20period%20of%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20scripts%20to%20enable%20it%2C%20but%20the%20following%20script%20to%20DISABLE%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24sta%20%3D%20%40()%3CBR%20%2F%3ESet-MsolUser%20-UserPrincipalName%20%24user%20-StrongAuthenticationRequirements%20%24sta%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20is%20it%20also%20%22forgets%22%20all%20of%20the%20user's%20configurations%20and%20forces%20them%20to%20re-setup%20everything%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20DISABLE%20MFA%20without%20forgetting%20the%20user's%20settings%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20what%20we%20use%20to%20enable%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24st%20%3D%20New-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationRequirement%3CBR%20%2F%3E%24st.RelyingParty%20%3D%20%22*%22%3CBR%20%2F%3E%24st.State%20%3D%20%22Enforced%22%3CBR%20%2F%3E%24sta%20%3D%20%40(%24st)%3CBR%20%2F%3ESet-MsolUser%20-UserPrincipalName%20%24user%20-StrongAuthenticationRequirements%20%24sta%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-197279%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-200407%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20to%20temporarily%20Disable%20Azure%20MFA%20(while%20remembering%20settings)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-200407%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20information%20is%20forgotten%3F%20can%20you%20write%20it%20into%20a%20different%20attribute%20then%20delete%20and%20pull%20it%20back%20in%20when%20re-enabling%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Brent Ellis
Valued Contributor

We occasionally need to disable MFA temporarily for users, only to turn it back on again after a short period of time.

 

We have scripts to enable it, but the following script to DISABLE MFA.

 

$sta = @()
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta

 

The problem is it also "forgets" all of the user's configurations and forces them to re-setup everything again.

 

Is there a way to DISABLE MFA without forgetting the user's settings?

 

This is what we use to enable:

 

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enforced"
$sta = @($st)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta

1 Reply

What information is forgotten? can you write it into a different attribute then delete and pull it back in when re-enabling?

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies