cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using PowerShell in Microsoft 365 to find users who have MFA set up!

TomWechsler
MVP

‎May 04 2021 07:50 AM - edited ‎May 04 2021 07:53 AM

‎May 04 2021 07:50 AM - edited ‎May 04 2021 07:53 AM

Using PowerShell in Microsoft 365 to find users who have MFA set up!

 

Hi Microsoft 365 friends,

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE

Set-Location C:\Temp
Clear-Host

 

#We need the PowerShell module
Install-Module MSOnline -AllowClobber -Force -Verbose

 

#Connect to Microsoft 365 (formerly Office365)
Connect-MsolService

 

#Did it work
Get-MsolUser

 

#We search the properties of Get-MsolUser
Get-MsolUser | Get-Member

 

#A first investigation
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

 

#Run the following command to output MFA details and status for all users
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}} | FT -AutoSize

 

#Details for one specific user
Get-MsolUser -UserPrincipalName jane.ford@tomwechsler.xyz | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}} | FT -AutoSize

 

#Enables MFA for an individual user (a Conditional Access Policy would be a better way)
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)

 

#Change the following UserPrincipalName to the user you wish to change state
Set-MsolUser -UserPrincipalName tim.jones@tomwechsler.xyz -StrongAuthenticationRequirements $sta

 

#Check
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

 

#Define your list of users to update state in bulk (a Conditional Access Policy would be a better way)
$users = "tim.taylor@tomwechsler.xyz","tim.jones@tomwechsler.xyz","jane.ford@tomwechsler.xyz"

foreach ($user in $users)
{
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}

 

#Check in the Azure Portal

 

#To disable MFA
Get-MsolUser -UserPrincipalName tim.jones@tomwechsler.xyz | Set-MsolUser -StrongAuthenticationRequirements @()

 

#You could also directly disable MFA
Set-MsolUser -UserPrincipalName tim.taylor@tomwechsler.xyz -StrongAuthenticationRequirements @()

 

Now you have set up MFA for specific users using PowerShell. If you have an Azure AD Premium P1 license, you can configure MFA with a Conditional Access policy (that would be the better way).

I am absolutely aware that this is nothing spectacular. However, I wanted to share some experience with you.

 

I hope this article was useful. Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

 

Labels:
5,832 Views
0 Likes
0 Replies
Reply
0 Replies