SOLVED

Powershell CMDlets for MFA Settings?

%3CLINGO-SUB%20id%3D%22lingo-sub-308367%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308367%22%20slang%3D%22en-US%22%3E%3CP%3EI%20Found%20A%20solution%20to%20this%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3ENot%20a%20one%20time%20bypass%2C%20but%20require%20user%20to%20re-register%20at%20next%20sign-in%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23%20%2FMWU%3CBR%20%2F%3E%23%20First%20connect%20to%20your%20tenant%20(as%20you%20use%20to%20do%20it)%3CBR%20%2F%3E%23%20Output%20from%20my%20connect%20tenant%20function%3CBR%20%2F%3E%23%20cat%20function%3AConnect-O365-PROD%3C%2FP%3E%3CP%3E%23%20Actual%20Connect-O365-PROD%20function%3CBR%20%2F%3EGet-PSSession%20%7C%20Remove-PSSession%3CBR%20%2F%3E%24PROD365Session%20%3D%20New-PSSession%20-ConfigurationName%20Microsoft.Exchange%20-ConnectionUri%20%3CA%20href%3D%22https%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3C%2FA%3E%20-Credential%20%24PRODAdminCred%20-Authentication%20Basic%20-AllowRedirection%3CBR%20%2F%3E%23Use%20this%20if%20you%20import%20scriptfunctions%20from%20remote%20server%2C%20i%20only%20load%20remote%20script%20in%20my%20%24profile%3CBR%20%2F%3EImport-Module%20(Import-PSSession%20%24PROD365Session%20-AllowClobber)%20-global%3CBR%20%2F%3EConnect-MsolService%20-Credential%20%24PRODAdminCred%3CBR%20%2F%3E%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23Forget%20above%20if%20you%20are%20Pro%20%3A)%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%23Selected%20user%20in%20cloud%3CBR%20%2F%3E%24Userpricipalname%20%3D%20%22abc%40org.com%22%3C%2FP%3E%3CP%3E%23Get%20settings%20for%20a%20user%20with%20exsisting%20auth%20data%3CBR%20%2F%3E%24User%20%3D%20Get-MSolUser%20-UserPrincipalName%20%24Userpricipalname%3CBR%20%2F%3E%23%20Viewing%20default%20method%3CBR%20%2F%3E%24User.StrongAuthenticationMethods%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%23%20Creating%20custom%20object%20for%20default%20method%20(here%20you%20just%20put%20in%20%24true%20insted%20of%20%24false%2C%20on%20the%20prefeered%20method%20you%20like)%3CBR%20%2F%3E%24m1%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24m1.IsDefault%20%3D%20%24false%3CBR%20%2F%3E%24m1.MethodType%3D%22OneWaySMS%22%3C%2FP%3E%3CP%3E%24m2%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24m2.IsDefault%20%3D%20%24false%3CBR%20%2F%3E%24m2.MethodType%3D%22TwoWayVoiceMobile%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24m3%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24m3.IsDefault%20%3D%20%24false%3CBR%20%2F%3E%24m3.MethodType%3D%22PhoneAppOTP%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24m4%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24m4.IsDefault%20%3D%20%24True%3CBR%20%2F%3E%24m4.MethodType%3D%22PhoneAppNotification%22%3C%2FP%3E%3CP%3E%23%20To%20set%20the%20users%20default%20method%20for%20doing%20second%20factor%3CBR%20%2F%3E%23%24m%3D%40(%24m1%2C%24m2%2C%24m3%2C%24m4)%3C%2FP%3E%3CP%3E%23%20To%20force%20user%20ONLY%20to%20re-register%20without%20clearing%20their%20phonenumber%20or%20App%20shared%20secret.%3CBR%20%2F%3E%24m%3D%40()%3C%2FP%3E%3CP%3E%23%20Set%20command%20to%20define%20new%20settings%3CBR%20%2F%3Eset-msoluser%20-Userprincipalname%20%24user.UserPrincipalName%20-StrongAuthenticationMethods%20%24m%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Settings%20should%20be%20empty%2C%20and%20user%20is%20required%20to%20register%20new%20phone%20number%20or%20whatever%20they%20like%2C%20i%20case%20they%20lost%20their%20phone.%3CBR%20%2F%3E%24User%20%3D%20Get-MSolUser%20-UserPrincipalName%20%24Userpricipalname%3CBR%20%2F%3E%24User.StrongAuthenticationMethods%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308365%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308365%22%20slang%3D%22en-US%22%3E%3CP%3EI%20Found%20A%20solution%20to%20this%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23%20%2FMWU%3CBR%20%2F%3E%23%20First%20connect%20to%20your%20tenant%20(as%20you%20use%20to%20do%20it)%3CBR%20%2F%3E%23%20Output%20from%20my%20connect%20tenant%20function%3CBR%20%2F%3E%23%20cat%20function%3AConnect-O365-PROD%3C%2FP%3E%3CP%3E%23%20Actual%20Connect-O365-PROD%20function%3CBR%20%2F%3EGet-PSSession%20%7C%20Remove-PSSession%3CBR%20%2F%3E%24PROD365Session%20%3D%20New-PSSession%20-ConfigurationName%20Microsoft.Exchange%20-ConnectionUri%20%3CA%20href%3D%22https%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3C%2FA%3E%20-Credential%20%24PRODAdminCred%20-Authentication%20Basic%20-AllowRedirection%3CBR%20%2F%3E%23Use%20this%20if%20you%20import%20scriptfunctions%20from%20remote%20server%2C%20i%20only%20load%20remote%20script%20in%20my%20%24profile%3CBR%20%2F%3EImport-Module%20(Import-PSSession%20%24PROD365Session%20-AllowClobber)%20-global%3CBR%20%2F%3EConnect-MsolService%20-Credential%20%24PRODAdminCred%3CBR%20%2F%3E%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23Forget%20above%20if%20you%20are%20Pro%20%3A)%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%23Selected%20user%20in%20cloud%3CBR%20%2F%3E%24Userpricipalname%20%3D%20%22abc%40org.com%22%3C%2FP%3E%3CP%3E%23Get%20settings%20for%20a%20user%20with%20exsisting%20auth%20data%3CBR%20%2F%3E%24User%20%3D%20Get-MSolUser%20-UserPrincipalName%20%24Userpricipalname%3CBR%20%2F%3E%23%20Viewing%20default%20method%3CBR%20%2F%3E%24User.StrongAuthenticationMethods%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%23%20Creating%20custom%20object%20for%20default%20method%20(here%20you%20just%20put%20in%20%24true%20insted%20of%20%24false%2C%20on%20the%20prefeered%20method%20you%20like)%3CBR%20%2F%3E%24m1%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24m1.IsDefault%20%3D%20%24false%3CBR%20%2F%3E%24m1.MethodType%3D%22OneWaySMS%22%3C%2FP%3E%3CP%3E%24m2%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24m2.IsDefault%20%3D%20%24false%3CBR%20%2F%3E%24m2.MethodType%3D%22TwoWayVoiceMobile%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24m3%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24m3.IsDefault%20%3D%20%24false%3CBR%20%2F%3E%24m3.MethodType%3D%22PhoneAppOTP%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24m4%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24m4.IsDefault%20%3D%20%24True%3CBR%20%2F%3E%24m4.MethodType%3D%22PhoneAppNotification%22%3C%2FP%3E%3CP%3E%23%20To%20set%20the%20users%20default%20method%20for%20doing%20second%20factor%3CBR%20%2F%3E%23%24m%3D%40(%24m1%2C%24m2%2C%24m3%2C%24m4)%3C%2FP%3E%3CP%3E%23%20To%20force%20user%20ONLY%20to%20re-register%20without%20clearing%20their%20phonenumber%20or%20App%20shared%20secret.%3CBR%20%2F%3E%24m%3D%40()%3C%2FP%3E%3CP%3E%23%20Set%20command%20to%20define%20new%20settings%3CBR%20%2F%3Eset-msoluser%20-Userprincipalname%20%24user.UserPrincipalName%20-StrongAuthenticationMethods%20%24m%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Settings%20should%20be%20empty%2C%20and%20user%20is%20required%20to%20register%20new%20phone%20number%20or%20whatever%20they%20like%2C%20i%20case%20they%20lost%20their%20phone.%3CBR%20%2F%3E%24User%20%3D%20Get-MSolUser%20-UserPrincipalName%20%24Userpricipalname%3CBR%20%2F%3E%24User.StrongAuthenticationMethods%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-295237%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-295237%22%20slang%3D%22en-US%22%3EHi%20Raghuram%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20the%20exact%20method%20I%20ended%20up%20using.%20Thanks%20for%20replying%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-295198%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-295198%22%20slang%3D%22en-US%22%3E%3CP%3EWish%20that%20was%20so%20easy..%20you%20could%20try%3C%2FP%3E%3CP%3ERead%20the%20current%20methods%20set%2C%3C%2FP%3E%3CP%3ECreate%20new%20object%20to%20hold%20the%20values%20as%20needed%3C%2FP%3E%3CP%3E%24m1%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3C%2FP%3E%3CP%3E%24m1.IsDefault%20%3D%20%24true%3C%2FP%3E%3CP%3E%24m1.MethodType%3D%22PhoneAppNotification%22%3C%2FP%3E%3CP%3E%24m2%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3C%2FP%3E%3CP%3E%24m2.IsDefault%20%3D%20%24false%3C%2FP%3E%3CP%3E%24m2.MethodType%3D%22PhoneAppOTP%22%3C%2FP%3E%3CP%3E%24m%3D%40(%24m1%2C%24m2)%3C%2FP%3E%3CP%3Eset-msoluser%20-Userprincipalname%20%22UPN%22%20-StrongAuthenticationMethods%20%24m%3C%2FP%3E%3CP%3EYou%20will%20have%20try%20this%20on%20few%20users%20to%20see%20how%20it%20works%20(especially%20when%20values%20are%20already%20set).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292712%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292712%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20edit%20the%20value%20of%20the%20strongauthenticationmethod%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20want%20to%20switch%20the%20IsDefault%20value%20in%20my%20case%20from%20PhoneAppOTP%20to%20PhoneAppNotification%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20hoping%20I%20was%20just%20going%20to%20be%20able%20to%20use%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-MsolUser%20-UserPrincipalName%20myuser%40mycompany.com%20-StrongAuthenticationMethods%20phoneappnotification%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20this%20doesn't%20seem%20to%20be%20the%20correct%20methodology.%26nbsp%3B%20Any%20guidance%20would%20be%20apprciated%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199608%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199608%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20specific%20PS%20command%20relies%20upon%20the%20Group%20Object%20ID%20which%20is%20unique%20to%20the%20specific%20group.%26nbsp%3B%20For%20instance%2C%20if%20you%20have%20an%20All%20Users%20group%2C%20you%20would%20need%20to%20provide.%26nbsp%3B%20It's%20a%20number%20that%20looks%20similar%20to%20this%3A%26nbsp%3B%3CSPAN%3Eaf407072-%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-number%22%3E7%3C%2FSPAN%3E%3CSPAN%3Eae1-%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-number%22%3E4%3C%2FSPAN%3E%3CSPAN%3Eb07-a0ca-%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-number%22%3E6634%3C%2FSPAN%3E%3CSPAN%3Eb7396054%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199605%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199605%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20You.%3C%2FP%3E%3CP%3ESo%20by%20Group%2C%20do%20you%20mean%20all%20the%20users%20must%20be%20in%20some%20type%20of%20GROUP%3F%3C%2FP%3E%3CP%3E%5BDistro%2C%20O365%20Group%2C..%5D%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199603%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199603%22%20slang%3D%22en-US%22%3E%3CP%3ETry%20this%20(has%20to%20be%20done%20on%20a%20per-group%20basis)%3A%3C%2FP%3E%3CP%3E%24filepath%20%3D%20'%3CYOUR-EXPORT-FILENAME%3E'%3CBR%20%2F%3EGet-MsolGroupMember%20-GroupObjectId%26nbsp%3B%3CTHE%20id%3D%22%22%20number%3D%22%22%20of%3D%22%22%20the%3D%22%22%20group%3D%22%22%3E%20-MemberObjectTypes%20User%20-All%20%7C%20Get-MsolUser%20%7C%20Where%20%7B%24_.UserPrincipalName%7D%20%7C%20Select%20UserPrincipalName%2C%20DisplayName%2C%20Country%2C%20Department%2C%20Title%2C%20%40%7Bn%3D%22MFA%22%3B%20e%3D%7B%24_.StrongAuthenticationRequirements.State%7D%7D%2C%20%40%7Bn%3D%22Methods%22%3B%20e%3D%7B(%24_.StrongAuthenticationMethods).MethodType%7D%7D%2C%20%40%7Bn%3D%22Default%20Method%22%3B%20e%3D%7B(%24_.StrongAuthenticationMethods).IsDefault%7D%7D%20%7C%20Export-Csv%20-Path%20%24filepath%3C%2FTHE%3E%3C%2FYOUR-EXPORT-FILENAME%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199600%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199600%22%20slang%3D%22en-US%22%3E%3CP%3EI%20need%20a%20PS%20script%20that%20generates%20a%20CSV%20showing%20not%20only%20if%20MFA%20is%20enabled%20for%20%3CSTRONG%3E%3CEM%3Eall%20users%3C%2FEM%3E%3C%2FSTRONG%3E%2C%20but%20shows%20the%20authentication%20method%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20You%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177861%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177861%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20provided%20this%20command%20by%20MS%20Support%3A%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EConnect-Msolservice%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EGet-MsolGroupMember%20-GroupObjectId%20%3CTHE%20group%3D%22%22%20object%3D%22%22%20id%3D%22%22%3E%20-MemberObjectTypes%20User%20%7C%20Get-MsolUser%20%7C%20select%20Userprincipalname%20-ExpandProperty%20StrongAuthenticationUserDetails%20%7C%20select%20UserPrincipalName%2C%20AlternativePhoneNumber%2C%20Email%2C%20PhoneNumber%3C%2FTHE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158900%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158900%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20replying.%20I%20think%20this%20DO%20enlighten%20exchange%20between%20community%20users.%3C%2FP%3E%0A%3CP%3EBy%20marking%20Best%20Response%20you%20are%20not%20stopping%20others%20from%20answering%2C%20they%20can%20continue%20to%20post%20their%20comments.%20And%20if%20you%20change%20your%20mind%20on%20the%20Best%20Response%2C%20you%20can%20just%20change%20it.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20273px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F28570i321DEF887824836B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22NotBest.jpg%22%20title%3D%22NotBest.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158856%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158856%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20feeling%20that%20there%20is%20nothing%20that%20I%20will%20be%20able%20to%20say%20that%20will%20lighten%20this%20exchange.%20I%20appreciate%20your%20contribution.%20I%20appreciate%20your%20thoroughness.%20I%20thanked%20you%20about%20four%20seconds%20after%20you%20posted%20your%20reply.%20I%20liked%20the%20post%20to%20show%20my%20appreciation.%20I%20just%20didn't%20click%20on%20Best%20Response%20yet%20because%20I%20didn't%20know%20if%20the%20thread%20had%20run%20its%20full%20course%20and%20I%20didn't%20want%20to%20stop%20others%20from%20answering%20if%20they%20felt%20inclined%20to%20do%20so.%20I%20am%20not%20against%20a%20point%20system.%20I%20was%20just%20being%20light-hearted%20with%20my%20reply.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158316%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158316%22%20slang%3D%22en-US%22%3E%3CP%3EBest%20response%20help%20other%20people%20quickly%20identify%20the%20correct%20answer%20in%20the%20thread.%20And%20yes%2C%20they%20give%20%22points%22.%20There's%20nothing%20wrong%20with%20that.%20We%20take%20the%20time%20to%20test%2C%20reproduce%20scenarios%2C%20run%20cmdlets%2C%20take%20snapshots%2C%20etc%2C%20and%20it%20won't%20take%20you%20a%20second%20to%20(apart%20from%20replying)%20mark%20the%20best%20response.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FGetting-Started%2FMicrosoft-Tech-Community-Guidelines%2Fm-p%2F107%23M1%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FGetting-Started%2FMicrosoft-Tech-Community-Guidelines%2Fm-p%2F107%23M1%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158023%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158023%22%20slang%3D%22en-US%22%3E%3CP%3EMan%2C%20you%20guys%20are%20militant%20about%20the%20%22Best%20Response.%22%20I%20step%20away%20for%20an%20hour%20to%20get%20a%20bite%20to%20eat%20and%20I%20come%20back%20to%20someone%20else%20marking%20the%20answer%20as%20%22Best%20Response.%22%20Ok%2C%20alright.%20I%20get%20it.%20It's%20all%20about%20the%20Best%20Response%20points.%20Thanks%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-157780%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-157780%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20nice.%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-157759%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-157759%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20have%20the%20information%20in%20the%20Get-MSolUser%20cmdlet%20from%20MSOnline%20powershell%20module%3A%3C%2FP%3E%0A%3CPRE%3EConnect-MsolService%0A%24User%20%3D%20Get-MSolUser%20-UserPrincipalName%20user%40domain.com%3CBR%20%2F%3E%24User.StrongAuthenticationMethods%3C%2FPRE%3E%0A%3CP%3EWith%20that%20you%20get%26nbsp%3Bthe%20default%20authentication%20method.%20There%20are%20other%20properties%20beginning%20by%20StrongAuthentication%20that%20give%20you%20other%20details%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20592px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F28506iC488012ED2540699%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22MFAPS.JPG%22%20title%3D%22MFAPS.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-751933%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-751933%22%20slang%3D%22en-US%22%3EDo%20we%20have%20option%20to%20change%20the%20Phone%20number%20under%20Authentication%20tab%20from%20powershell%20%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752062%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752062%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20Sadly%20there%20still%20no%20powershell%20way%20to%20update%20the%20Authentication%20Phone%20%2F%20info%20directly.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F375336%22%20target%3D%22_blank%22%3E%40ManishKKutty%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESe%20the%20uservoice%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F14795625-authentication-phone%3Ftracking_code%3Dcf9e1592ed0a22ed3965812d156fdef5%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F14795625-authentication-phone%3Ftracking_code%3Dcf9e1592ed0a22ed3965812d156fdef5%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-884992%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-884992%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20you%20send%20my%20renumaration%20of%20Intendant%20Microsoft%20Corporation%20Anonymous%20my%20sister%20will%20send%20you%20my%20number%20of%20account%20and%20folio%20she%20whiting%20you%20of%20account%20Neffretiti%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F133465%22%20target%3D%22_blank%22%3E%40Gary%20Long%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098178%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098178%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20someone%20help%20me%20to%20export%20the%20strong%20authentication%20details%20to%20a%20csv%20file%20from%20Azure%20AD%20for%20some%20users%20provided%20through%20input%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1242223%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242223%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F889%22%20target%3D%22_blank%22%3E%40Pablo%20R.%20Ortiz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20is%20there%20a%20way%20to%20remove%20the%20authentication%20once%20it's%20set%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20by%20accident%20enable%20this%20on%20a%20user%2C%20the%20user%20is%20unable%20to%20remove%20the%20authentication%20method%20within%20Office%20365%2C%20since%20it%20does%20require%20minimum%20one%20selection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20shown%20in%20your%20screen%20shot%2C%20those%20won't%20appear%20on%20a%20user%20account%20that%20haven't%20been%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%2C%3CBR%20%2F%3EKaspar%20D.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1242266%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242266%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F511531%22%20target%3D%22_blank%22%3E%40Indira1390%3C%2FA%3E%26nbsp%3BYou%20first%20have%20to%20create%20your%20input%20user%20list%20using%20something%20like%20this%3A%3C%2FP%3E%3CPRE%3E%3CSPAN%3E%3CSPAN%20class%3D%22hljs-pscommand%22%3EGet-MsolUser%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-EnabledFilter%3C%2FSPAN%3E%20EnabledOnly%20-All%26nbsp%3B%7C%20Export-csv%26nbsp%3B%22C%3A%5Cdownloads%5Cuserlist.csv%22%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3EThen%2C%20you%20can%20create%20the%20MFA%20details%20for%20each%20user%3A%3C%2FP%3E%3CPRE%3E%24filepath1%20%3D%20import-csv%20%22C%3A%5Cdownloads%5Cuserlist.csv%22%3CBR%20%2F%3E%24filepath2%20%3D%20'C%3A%5Cdownloads%5CMFA-Results.csv'%3CBR%20%2F%3EForEach%20(%24item%20in%20%24filepath1)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24user%20%3D%20%24item.(%22UserPrincipalName%22)%3CBR%20%2F%3EGet-MsolUser%20-UserPrincipalName%20%24user%20%7C%20Where%20%7B%24_.UserPrincipalName%7D%20%7C%20Select%20UserPrincipalName%2C%20DisplayName%2C%20Country%2C%20Department%2C%20Title%2C%20%40%7Bn%3D%22MFA%22%3B%20e%3D%7B%24_.StrongAuthenticationRequirements.State%7D%7D%2C%20%40%7Bn%3D%22Methods%22%3B%20e%3D%7B(%24_.StrongAuthenticationMethods).MethodType%7D%7D%2C%20%40%7Bn%3D%22Default%20Method%22%3B%20e%3D%7B(%24_.StrongAuthenticationMethods).IsDefault%7D%7D%20%7C%20Export-Csv%20-Path%20%24filepath2%20-Append%20%3CBR%20%2F%3E%7D%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1242291%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242291%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F547274%22%20target%3D%22_blank%22%3E%40Kaspar_Danielsen%3C%2FA%3E%26nbsp%3BThe%20simplest%20method%20is%20via%20portal.azure.com.%26nbsp%3B%20Navigate%20to%20Azure%20Active%20Directory-%26gt%3BUsers%2C%20then%20click%20Multi-Factor%20Authentication%20in%20the%20upper%20menu%20bar.%26nbsp%3B%20Search%20for%20the%20username%2C%20then%20select%20it.%26nbsp%3B%20You%20can%20then%20click%20Disable%20under%20%22quick%20steps%22.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you're%20using%20Conditional%20Access%20policies%20to%20enforce%20MFA%2C%20then%20the%20settings%20above%20are%20not%20used.%26nbsp%3B%20In%20this%20case%2C%20you%20can%20remove%20MFA%20via%20PowerShell%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22com%22%3E%23Connect%20to%20Azure%20AD%3C%2FSPAN%3E%3C%2FPRE%3E%3CPRE%3E%3CSPAN%20class%3D%22com%22%3EConnect-MsolService%3C%2FSPAN%3E%3C%2FPRE%3E%3CPRE%3E%3CSPAN%20class%3D%22com%22%3E%23Disable%20MFA%20for%20a%20user%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3E%20%24mfa%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E%3D%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pun%22%3E%40()%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22typ%22%3ESet%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22typ%22%3EMsolUser%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pun%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22typ%22%3EUserPrincipalName%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22typ%22%3EUser%40domain%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E.%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3Ecom%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22typ%22%3EStrongAuthenticationRequirements%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3E%20%24mfa%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%26nbsp%3B%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1242791%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F133465%22%20target%3D%22_blank%22%3E%40Gary%20Long%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Gary%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20taking%20the%20time%20to%20answer%20my%20question.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20connected%20and%20ran%20the%20command.%20It%20accepted%20it%2C%20but%20both%20options%20for%20SMS%20and%20Call%20is%20still%20listed.%20In%20other%20words%2C%20it%20didn't%20make%20a%20change%20for%20some%20reason.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20use%20this%20command%20or%20use%20Office%20365%20to%20enable%2Fdisable%20MFA.%3C%2FP%3E%3CP%3ESet-MsolUser%20-UserPricipalName%20%3CA%20href%3D%22mailto%3AUser%40domain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUser%40domain.com%3C%2FA%3E%26nbsp%3B-StrongAuthenticationRequirements%20%24mfa%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20run%20this%20command%2C%20it%20does%20show%202%20or%20more%20options%20for%20SMS%2FCall%2FApp%20etc.%20I%20wish%20to%20erase%20those%20with%20a%20command%20line%2C%20since%20it's%20not%20possible%20to%20do%20that%20manually%20in%20the%20users%20profile.%3C%2FP%3E%3CP%3E%24User%20%3D%20Get-MSolUser%20-UserPrincipalName%20%3CA%20href%3D%22mailto%3AUser%40domain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUser%40domain.com%3C%2FA%3E%3CBR%20%2F%3E%24User.StrongAuthenticationMethods%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%2C%3CBR%20%2F%3EKaspar%20Danielsen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1271971%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1271971%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F547274%22%20target%3D%22_blank%22%3E%40Kaspar_Danielsen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20an%20interesting%20discussion%20.%26nbsp%3B%20I%20tested%20out%20some%20reporting%20script%20on%201)%20my%20dev%20tenant%20(%20first%20release%20and%202)%20my%20client's%20live%20tenant.%26nbsp%3B%20Note%20my%20account%20is%20federated%20on%20the%20live%20account%20sourced%20from%20Active%20directory%20on-premise%3C%2FP%3E%3CP%3EIn%20both%20cases%20I%20am%20%3CSTRONG%3Eforced%20to%26nbsp%3B%20use%20MFA%26nbsp%3B%20enabled%20via%20the%20PhoneApp%3A%3C%2FSTRONG%3E%26nbsp%3B%20Approve%20or%20Deny%20prompt%20..%20Now%20the%20weird%20part%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ECOnnect-MSOLService%0A%24adminUserMFADetails%20%3D%20Get-MsolUser%20-UserPrincipalName%20%22daniel.westerdale%40myclient.co.uk%22%20%20%7C%20Select-Object%20UserPrincipalName%2CStrongAuthenticationMethods%2C%40%7B%20Label%3D%22MFAStatus%22%3B%20Expression%3D%7B%24_.StrongAuthenticationRequirements.State%7D%7D%2C%20ValidationStatus%0A%0A%0A%24adminUserMFADetails.MFAStatus%20%20%23%20is%20null!!!!!!!!%0A%0ACOnnect-MSOLService%0A%24adminUserMFADetails%20%3D%20Get-MsolUser%20-UserPrincipalName%20%22daniel.westerdale%40mydevtenant.co.uk%22%20%20%7C%20Select-Object%20UserPrincipalName%2CStrongAuthenticationMethods%2C%40%7B%20Label%3D%22MFAStatus%22%3B%20Expression%3D%7B%24_.StrongAuthenticationRequirements.State%7D%7D%2C%20ValidationStatus%0A%0A%24adminUserMFADetails.MFAStatus%20%0AEnforced%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurious......%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1380110%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1380110%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F511531%22%20target%3D%22_blank%22%3E%40Indira1390%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20below%20logic%20to%20extract%20user%20MFA%20details%20and%20default%20method%20configured.%2C%20We%20use%26nbsp%3B%3CSPAN%3Ecombined%20registration%20SSPR%20%2BMFA.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Define%20global%20variable%3CBR%20%2F%3E%24Results%20%3D%20New-Object%20System.Collections.ArrayList%3CBR%20%2F%3E%23%20Get%20User%20list%20from%20a%20text%20file%2C%20expect%20user%20name%20as%20UserPricipalName%3CBR%20%2F%3E%24Userlist%20%3D%20get-content%20d%3A%5Cusers.txt%3CBR%20%2F%3EWrite-host%20%22Total%20%24((%24Userlist).count)%20users%22%3CBR%20%2F%3E%23Checking%20each%20user%20Strong%20Authentication%20Method%3CBR%20%2F%3E%24Userlist%20%7C%20foreach%20%7B%3CBR%20%2F%3EWrite-host%20%22Checking%20user%3A%20%24(%24_)%20MFA%20status.....%22%3CBR%20%2F%3E%24User%20%3D%20get-msoluser%20-UserPrincipalName%20%24_%3CBR%20%2F%3E%24UserStrongDetails%20%3D%20%24User.StrongAuthenticationMethods%3CBR%20%2F%3E%24UserStrongDetailsCount%20%3D%24User.StrongAuthenticationMethods.count%3C%2FP%3E%3CP%3EIf(%24UserStrongDetails)%7B%3CBR%20%2F%3EFor%20(%24i%3D0%3B%20%24i-lt%20%24UserStrongDetailsCount%3B%20%24i%2B%2B)%20%7Bif((%24UserStrongDetails%5B%24i%5D.IsDefault)%20-eq%20%24true)%20%7B%3CBR%20%2F%3E%24DefaultMethod%20%3D%24null%3CBR%20%2F%3E%24DefaultMethod%20%3D%20%24UserStrongDetails%5B%24i%5D.MethodType%3CBR%20%2F%3Ebreak%20%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24Preresult%20%3D%40%7B%3CBR%20%2F%3E'AAD-DisplayName'%20%3D%20%24user.DisplayName%3CBR%20%2F%3E'AAD-UserPrincipalName'%20%3D%20%24user.UserPrincipalName%3CBR%20%2F%3E'AAD-UsageLocation'%20%3D%20%24user.UsageLocation%3CBR%20%2F%3E'AAD-MobilePhone'%20%3D%20%24user.MobilePhone%3CBR%20%2F%3E'AAD-OfficePhoneNumber'%20%3D%20%24user.PhoneNumber%3CBR%20%2F%3E'MFA-Mobile'%20%3D%20%24user.StrongAuthenticationUserDetails.PhoneNumber%3CBR%20%2F%3E'MFA-AlternativePhoneNumber'%20%3D%20%24user.StrongAuthenticationUserDetails.AlternativePhoneNumber%3CBR%20%2F%3E'MFA-Email'%20%3D%20%24user.StrongAuthenticationUserDetails.Email%3CBR%20%2F%3E'MFA-DefaultMethod'%20%3D%20%24DefaultMethod%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eelse%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24DefaultMethod%20%3D%24null%3CBR%20%2F%3E%24Preresult%20%3D%20%40%7B%3CBR%20%2F%3E'AAD-DisplayName'%20%3D%20%24user.DisplayName%3CBR%20%2F%3E'AAD-UserPrincipalName'%20%3D%20%24user.UserPrincipalName%3CBR%20%2F%3E'AAD-UsageLocation'%20%3D%20%24user.UsageLocation%3CBR%20%2F%3E'AAD-MobilePhone'%20%3D%20%24user.MobilePhone%3CBR%20%2F%3E'AAD-OfficePhoneNumber'%20%3D%20%24user.PhoneNumber%3CBR%20%2F%3E'MFA-Mobile'%20%3D%20%22Not-Defined%22%3CBR%20%2F%3E'MFA-AlternativePhoneNumber'%20%3D%20%22Not-Defined%22%3CBR%20%2F%3E'MFA-Email'%20%3D%20%22Not-Defined%22%3CBR%20%2F%3E'MFA-DefaultMethod'%20%3D%20%22Not-Defined%22%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%24Results%20%2B%3D%20New-Object%20-TypeName%20PSObject%20-Property%20%24Preresult%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%24Results%20%7C%20Select-Object%20AAD-DisplayName%2CAAD-UserPrincipalName%2CAAD-UsageLocation%2CAAD-MobilePhone%2CAAD-OfficePhoneNumber%2CMFA-Mobile%2CMFA-AlternativePhoneNumber%2CMFA-Email%2CMFA-DefaultMethod%20%7C%20Export-Csv%20-notypeinformation%20-Path%20%22d%3A%5CAzureMFAUserDetails.csv%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E_Sudhish%20Kumar%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1398238%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1398238%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425520%22%20target%3D%22_blank%22%3E%40SudhishSkumar%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20i%C2%B4m%20trying%20to%20do%20is%20more%20simples%2C%20but%20i%C2%B4m%20unable%20to%20do%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Read%20UPNs%20form%20a%20textFile%20or%20csv%2C%20one%20UPN%20per%20line%3C%2FP%3E%3CP%3E2)%20set%20Auth%20methods%3C%2FP%3E%3CP%3EI%C2%B4m%20trying%20this%20one%2C%20but%20it%20does%20nothing%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24listacsv%20%3D%20import-csv%20c%3A%5Ctemp%5Clist.txt%3CBR%20%2F%3Eforeach(%24upn%20in%20%24listacsv)%20%7B%3CBR%20%2F%3E%24method1%20%3D%20New-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24method1.IsDefault%20%3D%20%24true%3CBR%20%2F%3E%24method1.MethodType%20%3D%20%22PhoneAppNotification%22%3CBR%20%2F%3E%24method2%20%3D%20New-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3CBR%20%2F%3E%24method2.IsDefault%20%3D%20%24false%3CBR%20%2F%3E%24method2.MethodType%20%3D%20%22TwoWayVoiceMobile%22%3CBR%20%2F%3E%24methods%20%3D%20%40(%24method1%2C%20%24method2)%3CBR%20%2F%3E%26nbsp%3BSet-MsolUser%20-UserPrincipalName%20%24upn%20-StrongAuthenticationMethods%20%24methods%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20insted%20of%20the%20sinple%20UPN%2C%20the%20returns%20is%3A%3C%2FP%3E%3CP%3E%40%7Btestuser%40MYdomain.com%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1479709%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1479709%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425520%22%20target%3D%22_blank%22%3E%40SudhishSkumar%3C%2FA%3E%2C%20what%20details%20will%20this%20spit%20out%3F%20Please%20let%20me%20know%2C%20I'm%20trying%20to%20extract%20Users%20phone%20numbers%20they%20used%20in%20registering%20MFA.%20I%20found%20the%20same%20number%20on%202%20different%20profiles%2C%20so%20i%20need%20to%20do%20an%20audit%20to%20see%20how%20many%20profiles%20like%20this%20do%20I%20have%20out%20there.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-157678%22%20slang%3D%22en-US%22%3EPowershell%20CMDlets%20for%20MFA%20Settings%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-157678%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20if%20there%20are%20Powershell%20Cmdlets%20available%20to%20allow%20inspection%20of%20a%20user's%20MFA%20settings%20related%20to%20which%20verification%20options%20were%20configured%20and%20which%20option%20is%20considered%20primary%3F%20I%20am%20mostly%20focused%20on%20Office%20365%2C%20but%20I%20think%20that%20this%20is%20an%20Azure%20AD%20question%20in%20general.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere's%20the%20use%20case%20that%20I%20am%20considering.%20We%20have%20a%20number%20of%20Office%20365%20users%20with%20MFA%20enabled.%20There%20was%20configuration%20guidance%20given%20at%20setup%20time%2C%20but%20not%20all%20users%20chose%20to%20follow%20that%20guidance.%20Specifically%2C%20many%20chose%20SMS%20notification%2C%20but%20our%20facility%20is%20notorious%20for%20poor%20cellular%20reception.%20Mobile%20app%20is%20preferred%20in%20this%20environment.%20In%20some%20cases%2C%20they%20deviated%20from%20the%20suggested%20method%20intentionally%20and%2C%20other%20times%2C%20unintentionally.%20This%20leads%20to%20support%20calls%20and%20it%20would%20be%20very%20useful%20for%20the%20support%20tech%20to%20know%20up%20front%20which%20methods%20are%20configured%20and%20which%20is%20the%20user's%20primary%20verification%20method.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20looked%20at%20the%20Azure%20AD%20module%2C%20but%20haven't%20found%20what%20I'm%20looking%20for%20yet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EAndy%20Baerst%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-157678%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Contributor

Does anyone know if there are Powershell Cmdlets available to allow inspection of a user's MFA settings related to which verification options were configured and which option is considered primary? I am mostly focused on Office 365, but I think that this is an Azure AD question in general.

 

Here's the use case that I am considering. We have a number of Office 365 users with MFA enabled. There was configuration guidance given at setup time, but not all users chose to follow that guidance. Specifically, many chose SMS notification, but our facility is notorious for poor cellular reception. Mobile app is preferred in this environment. In some cases, they deviated from the suggested method intentionally and, other times, unintentionally. This leads to support calls and it would be very useful for the support tech to know up front which methods are configured and which is the user's primary verification method. 

 

I've looked at the Azure AD module, but haven't found what I'm looking for yet.

 

Thanks,

Andy Baerst

26 Replies
Highlighted
Best Response confirmed by Nuno Silva (MVP)
Solution

You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

Connect-MsolService
$User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethods

With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

MFAPS.JPG

Highlighted

Very nice. Thank you.

Highlighted

Man, you guys are militant about the "Best Response." I step away for an hour to get a bite to eat and I come back to someone else marking the answer as "Best Response." Ok, alright. I get it. It's all about the Best Response points. Thanks again.

Highlighted

Best response help other people quickly identify the correct answer in the thread. And yes, they give "points". There's nothing wrong with that. We take the time to test, reproduce scenarios, run cmdlets, take snapshots, etc, and it won't take you a second to (apart from replying) mark the best response.

https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Guidelines/m-p/107#M...

Highlighted

I have a feeling that there is nothing that I will be able to say that will lighten this exchange. I appreciate your contribution. I appreciate your thoroughness. I thanked you about four seconds after you posted your reply. I liked the post to show my appreciation. I just didn't click on Best Response yet because I didn't know if the thread had run its full course and I didn't want to stop others from answering if they felt inclined to do so. I am not against a point system. I was just being light-hearted with my reply. 

Highlighted

Thank you for replying. I think this DO enlighten exchange between community users.

By marking Best Response you are not stopping others from answering, they can continue to post their comments. And if you change your mind on the Best Response, you can just change it.

NotBest.jpg

Highlighted

I was provided this command by MS Support:

Connect-Msolservice

Get-MsolGroupMember -GroupObjectId <the group object ID> -MemberObjectTypes User | Get-MsolUser | select Userprincipalname -ExpandProperty StrongAuthenticationUserDetails | select UserPrincipalName, AlternativePhoneNumber, Email, PhoneNumber

Highlighted

I need a PS script that generates a CSV showing not only if MFA is enabled for all users, but shows the authentication method as well.

 

Thank You in advance.

Highlighted

Try this (has to be done on a per-group basis):

$filepath = '<your-export-filename>'
Get-MsolGroupMember -GroupObjectId <the id number of the group> -MemberObjectTypes User -All | Get-MsolUser | Where {$_.UserPrincipalName} | Select UserPrincipalName, DisplayName, Country, Department, Title, @{n="MFA"; e={$_.StrongAuthenticationRequirements.State}}, @{n="Methods"; e={($_.StrongAuthenticationMethods).MethodType}}, @{n="Default Method"; e={($_.StrongAuthenticationMethods).IsDefault}} | Export-Csv -Path $filepath

Highlighted

Thank You.

So by Group, do you mean all the users must be in some type of GROUP?

[Distro, O365 Group,..]


 

Highlighted

This specific PS command relies upon the Group Object ID which is unique to the specific group.  For instance, if you have an All Users group, you would need to provide.  It's a number that looks similar to this: af407072-7ae1-4b07-a0ca-6634b7396054

Highlighted

Is it possible to edit the value of the strongauthenticationmethod?

 

So I want to switch the IsDefault value in my case from PhoneAppOTP to PhoneAppNotification

 

I was hoping I was just going to be able to use

 

Set-MsolUser -UserPrincipalName myuser@mycompany.com -StrongAuthenticationMethods phoneappnotification

 

But this doesn't seem to be the correct methodology.  Any guidance would be apprciated

Highlighted

Wish that was so easy.. you could try

Read the current methods set,

Create new object to hold the values as needed

$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m1.IsDefault = $true

$m1.MethodType="PhoneAppNotification"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m2.IsDefault = $false

$m2.MethodType="PhoneAppOTP"

$m=@($m1,$m2)

set-msoluser -Userprincipalname "UPN" -StrongAuthenticationMethods $m

You will have try this on few users to see how it works (especially when values are already set).

 

Highlighted
Hi Raghuram

This is the exact method I ended up using. Thanks for replying
Highlighted

I Found A solution to this :)

 

# /MWU
# First connect to your tenant (as you use to do it)
# Output from my connect tenant function
# cat function:Connect-O365-PROD

# Actual Connect-O365-PROD function
Get-PSSession | Remove-PSSession
$PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
#Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
Connect-MsolService -Credential $PRODAdminCred
##################Forget above if you are Pro :)#######################################


#Selected user in cloud
$Userpricipalname = "abc@org.com"

#Get settings for a user with exsisting auth data
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
# Viewing default method
$User.StrongAuthenticationMethods

 


# Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="OneWaySMS"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="TwoWayVoiceMobile"


$m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m3.IsDefault = $false
$m3.MethodType="PhoneAppOTP"


$m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m4.IsDefault = $True
$m4.MethodType="PhoneAppNotification"

# To set the users default method for doing second factor
#$m=@($m1,$m2,$m3,$m4)

# To force user ONLY to re-register without clearing their phonenumber or App shared secret.
$m=@()

# Set command to define new settings
set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m

 

#Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
$User.StrongAuthenticationMethods

Highlighted

I Found A solution to this :)
Not a one time bypass, but require user to re-register at next sign-in

 

# /MWU
# First connect to your tenant (as you use to do it)
# Output from my connect tenant function
# cat function:Connect-O365-PROD

# Actual Connect-O365-PROD function
Get-PSSession | Remove-PSSession
$PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
#Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
Connect-MsolService -Credential $PRODAdminCred
##################Forget above if you are Pro :)#######################################


#Selected user in cloud
$Userpricipalname = "abc@org.com"

#Get settings for a user with exsisting auth data
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
# Viewing default method
$User.StrongAuthenticationMethods

 


# Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="OneWaySMS"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="TwoWayVoiceMobile"


$m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m3.IsDefault = $false
$m3.MethodType="PhoneAppOTP"


$m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m4.IsDefault = $True
$m4.MethodType="PhoneAppNotification"

# To set the users default method for doing second factor
#$m=@($m1,$m2,$m3,$m4)

# To force user ONLY to re-register without clearing their phonenumber or App shared secret.
$m=@()

# Set command to define new settings
set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m

 

#Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
$User.StrongAuthenticationMethods

Highlighted
Do we have option to change the Phone number under Authentication tab from powershell ?
Highlighted

No Sadly there still no powershell way to update the Authentication Phone / info directly. @ManishKKutty 

 

Se the uservoice here:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/14795625-authentication-...

Highlighted

Can someone help me to export the strong authentication details to a csv file from Azure AD for some users provided through input file.

 

Thanks in advance