Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Powershell CMDlets for MFA Settings?

Brass Contributor

Does anyone know if there are Powershell Cmdlets available to allow inspection of a user's MFA settings related to which verification options were configured and which option is considered primary? I am mostly focused on Office 365, but I think that this is an Azure AD question in general.

 

Here's the use case that I am considering. We have a number of Office 365 users with MFA enabled. There was configuration guidance given at setup time, but not all users chose to follow that guidance. Specifically, many chose SMS notification, but our facility is notorious for poor cellular reception. Mobile app is preferred in this environment. In some cases, they deviated from the suggested method intentionally and, other times, unintentionally. This leads to support calls and it would be very useful for the support tech to know up front which methods are configured and which is the user's primary verification method. 

 

I've looked at the Azure AD module, but haven't found what I'm looking for yet.

 

Thanks,

Andy Baerst

30 Replies
best response confirmed by VI_Migration (Silver Contributor)
Solution

You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

Connect-MsolService
$User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethods

With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

MFAPS.JPG

Very nice. Thank you.

Man, you guys are militant about the "Best Response." I step away for an hour to get a bite to eat and I come back to someone else marking the answer as "Best Response." Ok, alright. I get it. It's all about the Best Response points. Thanks again.

Best response help other people quickly identify the correct answer in the thread. And yes, they give "points". There's nothing wrong with that. We take the time to test, reproduce scenarios, run cmdlets, take snapshots, etc, and it won't take you a second to (apart from replying) mark the best response.

https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Guidelines/m-p/107#M...

I have a feeling that there is nothing that I will be able to say that will lighten this exchange. I appreciate your contribution. I appreciate your thoroughness. I thanked you about four seconds after you posted your reply. I liked the post to show my appreciation. I just didn't click on Best Response yet because I didn't know if the thread had run its full course and I didn't want to stop others from answering if they felt inclined to do so. I am not against a point system. I was just being light-hearted with my reply. 

Thank you for replying. I think this DO enlighten exchange between community users.

By marking Best Response you are not stopping others from answering, they can continue to post their comments. And if you change your mind on the Best Response, you can just change it.

NotBest.jpg

I was provided this command by MS Support:

Connect-Msolservice

Get-MsolGroupMember -GroupObjectId <the group object ID> -MemberObjectTypes User | Get-MsolUser | select Userprincipalname -ExpandProperty StrongAuthenticationUserDetails | select UserPrincipalName, AlternativePhoneNumber, Email, PhoneNumber

I need a PS script that generates a CSV showing not only if MFA is enabled for all users, but shows the authentication method as well.

 

Thank You in advance.

Try this (has to be done on a per-group basis):

$filepath = '<your-export-filename>'
Get-MsolGroupMember -GroupObjectId <the id number of the group> -MemberObjectTypes User -All | Get-MsolUser | Where {$_.UserPrincipalName} | Select UserPrincipalName, DisplayName, Country, Department, Title, @{n="MFA"; e={$_.StrongAuthenticationRequirements.State}}, @{n="Methods"; e={($_.StrongAuthenticationMethods).MethodType}}, @{n="Default Method"; e={($_.StrongAuthenticationMethods).IsDefault}} | Export-Csv -Path $filepath

Thank You.

So by Group, do you mean all the users must be in some type of GROUP?

[Distro, O365 Group,..]


 

This specific PS command relies upon the Group Object ID which is unique to the specific group.  For instance, if you have an All Users group, you would need to provide.  It's a number that looks similar to this: af407072-7ae1-4b07-a0ca-6634b7396054

Is it possible to edit the value of the strongauthenticationmethod?

 

So I want to switch the IsDefault value in my case from PhoneAppOTP to PhoneAppNotification

 

I was hoping I was just going to be able to use

 

Set-MsolUser -UserPrincipalName myuser@mycompany.com -StrongAuthenticationMethods phoneappnotification

 

But this doesn't seem to be the correct methodology.  Any guidance would be apprciated

Wish that was so easy.. you could try

Read the current methods set,

Create new object to hold the values as needed

$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m1.IsDefault = $true

$m1.MethodType="PhoneAppNotification"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m2.IsDefault = $false

$m2.MethodType="PhoneAppOTP"

$m=@($m1,$m2)

set-msoluser -Userprincipalname "UPN" -StrongAuthenticationMethods $m

You will have try this on few users to see how it works (especially when values are already set).

 

Hi Raghuram

This is the exact method I ended up using. Thanks for replying

I Found A solution to this :)

 

# /MWU
# First connect to your tenant (as you use to do it)
# Output from my connect tenant function
# cat function:Connect-O365-PROD

# Actual Connect-O365-PROD function
Get-PSSession | Remove-PSSession
$PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
#Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
Connect-MsolService -Credential $PRODAdminCred
##################Forget above if you are Pro :)#######################################


#Selected user in cloud
$Userpricipalname = "abc@org.com"

#Get settings for a user with exsisting auth data
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
# Viewing default method
$User.StrongAuthenticationMethods

 


# Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="OneWaySMS"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="TwoWayVoiceMobile"


$m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m3.IsDefault = $false
$m3.MethodType="PhoneAppOTP"


$m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m4.IsDefault = $True
$m4.MethodType="PhoneAppNotification"

# To set the users default method for doing second factor
#$m=@($m1,$m2,$m3,$m4)

# To force user ONLY to re-register without clearing their phonenumber or App shared secret.
$m=@()

# Set command to define new settings
set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m

 

#Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
$User.StrongAuthenticationMethods

I Found A solution to this :)
Not a one time bypass, but require user to re-register at next sign-in

 

# /MWU
# First connect to your tenant (as you use to do it)
# Output from my connect tenant function
# cat function:Connect-O365-PROD

# Actual Connect-O365-PROD function
Get-PSSession | Remove-PSSession
$PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
#Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
Connect-MsolService -Credential $PRODAdminCred
##################Forget above if you are Pro :)#######################################


#Selected user in cloud
$Userpricipalname = "abc@org.com"

#Get settings for a user with exsisting auth data
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
# Viewing default method
$User.StrongAuthenticationMethods

 


# Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="OneWaySMS"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="TwoWayVoiceMobile"


$m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m3.IsDefault = $false
$m3.MethodType="PhoneAppOTP"


$m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m4.IsDefault = $True
$m4.MethodType="PhoneAppNotification"

# To set the users default method for doing second factor
#$m=@($m1,$m2,$m3,$m4)

# To force user ONLY to re-register without clearing their phonenumber or App shared secret.
$m=@()

# Set command to define new settings
set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m

 

#Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
$User.StrongAuthenticationMethods

Do we have option to change the Phone number under Authentication tab from powershell ?

No Sadly there still no powershell way to update the Authentication Phone / info directly. @ManishKKutty 

 

Se the uservoice here:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/14795625-authentication-...

Can someone help me to export the strong authentication details to a csv file from Azure AD for some users provided through input file.

 

Thanks in advance

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

Connect-MsolService
$User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethods

With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

MFAPS.JPG

View solution in original post