Using PowerShell in Microsoft 365 to find users who have MFA set up!

%3CLINGO-SUB%20id%3D%22lingo-sub-2322156%22%20slang%3D%22en-US%22%3EUsing%20PowerShell%20in%20Microsoft%20365%20to%20find%20users%20who%20have%20MFA%20set%20up!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2322156%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Microsoft%20365%20friends%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20used%20the%20PowerShell%20ISE%20for%20this%20configuration.%20But%20you%20are%20also%20very%20welcome%20to%20use%20Visual%20Studio%20Code%2C%20just%20as%20you%20wish.%26nbsp%3BPlease%20start%20with%20the%20following%20steps%20to%20begin%20the%20deployment%20(the%20Hashtags%20are%20comments)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23The%20first%20two%20lines%20have%20nothing%20to%20do%20with%20the%20configuration%2C%20but%20make%20some%20space%20below%20in%20the%20blue%20part%20of%20the%20ISE%3C%2FP%3E%3CP%3E%3CSTRONG%3ESet-Location%20C%3A%5CTemp%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EClear-Host%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23We%20need%20the%20PowerShell%20module%3CBR%20%2F%3E%3CSTRONG%3EInstall-Module%20MSOnline%20-AllowClobber%20-Force%20-Verbose%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Connect%20to%20Microsoft%20365%20(formerly%20Office365)%3CBR%20%2F%3E%3CSTRONG%3EConnect-MsolService%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Did%20it%20work%3CBR%20%2F%3E%3CSTRONG%3EGet-MsolUser%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23We%20search%20the%20properties%20of%20Get-MsolUser%3CBR%20%2F%3E%3CSTRONG%3EGet-MsolUser%20%7C%20Get-Member%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23A%20first%20investigation%3CBR%20%2F%3E%3CSTRONG%3EGet-MsolUser%20-All%20%7C%20where%20%7B%24_.StrongAuthenticationMethods%20-ne%20%24null%7D%20%7C%20Select-Object%20-Property%20UserPrincipalName%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Run%20the%20following%20command%20to%20output%20MFA%20details%20and%20status%20for%20all%20users%3CBR%20%2F%3E%3CSTRONG%3EGet-MsolUser%20-all%20%7C%20select%20DisplayName%2CUserPrincipalName%2C%40%7BN%3D%22MFA%20Status%22%3B%20E%3D%7B%20if(%20%24_.StrongAuthenticationMethods.IsDefault%20-eq%20%24true)%20%7B(%24_.StrongAuthenticationMethods%20%7C%20Where%20IsDefault%20-eq%20%24True).MethodType%7D%20else%20%7B%20%22Disabled%22%7D%7D%7D%20%7C%20FT%20-AutoSize%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Details%20for%20one%20specific%20user%3CBR%20%2F%3E%3CSTRONG%3EGet-MsolUser%20-UserPrincipalName%20jane.ford%40tomwechsler.xyz%20%7C%20select%20DisplayName%2CUserPrincipalName%2C%40%7BN%3D%22MFA%20Status%22%3B%20E%3D%7B%20if(%20%24_.StrongAuthenticationMethods.IsDefault%20-eq%20%24true)%20%7B(%24_.StrongAuthenticationMethods%20%7C%20Where%20IsDefault%20-eq%20%24True).MethodType%7D%20else%20%7B%20%22Disabled%22%7D%7D%7D%20%7C%20FT%20-AutoSize%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Enables%20MFA%20for%20an%20individual%20user%20(a%20Conditional%20Access%20Policy%20would%20be%20a%20better%20way)%3CBR%20%2F%3E%3CSTRONG%3E%24st%20%3D%20New-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationRequirement%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24st.RelyingParty%20%3D%20%22*%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24st.State%20%3D%20%22Enabled%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24sta%20%3D%20%40(%24st)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Change%20the%20following%20UserPrincipalName%20to%20the%20user%20you%20wish%20to%20change%20state%3CBR%20%2F%3E%3CSTRONG%3ESet-MsolUser%20-UserPrincipalName%20tim.jones%40tomwechsler.xyz%20-StrongAuthenticationRequirements%20%24sta%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Check%3CBR%20%2F%3E%3CSTRONG%3EGet-MsolUser%20-All%20%7C%20where%20%7B%24_.StrongAuthenticationMethods%20-ne%20%24null%7D%20%7C%20Select-Object%20-Property%20UserPrincipalName%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Define%20your%20list%20of%20users%20to%20update%20state%20in%20bulk%20(a%20Conditional%20Access%20Policy%20would%20be%20a%20better%20way)%3CBR%20%2F%3E%3CSTRONG%3E%24users%20%3D%20%22tim.taylor%40tomwechsler.xyz%22%2C%22tim.jones%40tomwechsler.xyz%22%2C%22jane.ford%40tomwechsler.xyz%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3Eforeach%20(%24user%20in%20%24users)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24st%20%3D%20New-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationRequirement%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24st.RelyingParty%20%3D%20%22*%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24st.State%20%3D%20%22Enabled%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24sta%20%3D%20%40(%24st)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3ESet-MsolUser%20-UserPrincipalName%20%24user%20-StrongAuthenticationRequirements%20%24sta%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7D%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Check%20in%20the%20Azure%20Portal%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23To%20disable%20MFA%3CBR%20%2F%3E%3CSTRONG%3EGet-MsolUser%20-UserPrincipalName%20tim.jones%40tomwechsler.xyz%20%7C%20Set-MsolUser%20-StrongAuthenticationRequirements%20%40()%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23You%20could%20also%20directly%20disable%20MFA%3CBR%20%2F%3E%3CSTRONG%3ESet-MsolUser%20-UserPrincipalName%20tim.taylor%40tomwechsler.xyz%20-StrongAuthenticationRequirements%20%40()%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20you%20have%20set%20up%20MFA%20for%20specific%20users%20using%20PowerShell.%20If%20you%20have%20an%20Azure%20AD%20Premium%20P1%20license%2C%20you%20can%20configure%20MFA%20with%20a%20Conditional%20Access%20policy%20(that%20would%20be%20the%20better%20way).%3C%2FP%3E%3CP%3EI%20am%20absolutely%20aware%20that%20this%20is%20nothing%20spectacular.%20However%2C%20I%20wanted%20to%20share%20some%20experience%20with%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CP%3EI%20hope%20this%20article%20was%20useful.%20Best%20regards%2C%20Tom%20Wechsler%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.S.%26nbsp%3BAll%20scripts%20(%23PowerShell%2C%20Azure%20CLI%2C%20%23Terraform%2C%20%23ARM)%20that%20I%20use%20can%20be%20found%20on%20github!%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Ftomwechsler%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Ftomwechsler%3C%2FA%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2322156%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
MVP

 

Hi Microsoft 365 friends,

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE

Set-Location C:\Temp
Clear-Host

 

#We need the PowerShell module
Install-Module MSOnline -AllowClobber -Force -Verbose

 

#Connect to Microsoft 365 (formerly Office365)
Connect-MsolService

 

#Did it work
Get-MsolUser

 

#We search the properties of Get-MsolUser
Get-MsolUser | Get-Member

 

#A first investigation
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

 

#Run the following command to output MFA details and status for all users
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}} | FT -AutoSize

 

#Details for one specific user
Get-MsolUser -UserPrincipalName jane.ford@tomwechsler.xyz | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}} | FT -AutoSize

 

#Enables MFA for an individual user (a Conditional Access Policy would be a better way)
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)

 

#Change the following UserPrincipalName to the user you wish to change state
Set-MsolUser -UserPrincipalName tim.jones@tomwechsler.xyz -StrongAuthenticationRequirements $sta

 

#Check
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

 

#Define your list of users to update state in bulk (a Conditional Access Policy would be a better way)
$users = "tim.taylor@tomwechsler.xyz","tim.jones@tomwechsler.xyz","jane.ford@tomwechsler.xyz"

foreach ($user in $users)
{
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}

 

#Check in the Azure Portal

 

#To disable MFA
Get-MsolUser -UserPrincipalName tim.jones@tomwechsler.xyz | Set-MsolUser -StrongAuthenticationRequirements @()

 

#You could also directly disable MFA
Set-MsolUser -UserPrincipalName tim.taylor@tomwechsler.xyz -StrongAuthenticationRequirements @()

 

Now you have set up MFA for specific users using PowerShell. If you have an Azure AD Premium P1 license, you can configure MFA with a Conditional Access policy (that would be the better way).

I am absolutely aware that this is nothing spectacular. However, I wanted to share some experience with you.

 

I hope this article was useful. Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

 

0 Replies