Manage M365 MFA setting using Powershell

New Contributor

I am enforcing Multi-Factor Authentication for all my M365 users (azure ad plan 2) and it works as expected. Ability to set exceptions when users work from particular branch offices too works as expected. screenshot below.

 

 

sachin011390_0-1630921662572.png

 

 

 

however, i have many branch offices where the IP address can change every week, so need a way to automate updating the above list.

 

is there a power shell module i can use to update this list rather then login to the portal and type it out every time there is a change ?

 

4 Replies
When you have Azure AD Premium P2 I would consider using Azure AD Conditional Access policies for enforcing MFA and the Named Locations feature available in Azure AD. You can use PowerShell to update names locations using the Set-AzureADMSNamedLocationPolicy cmdlet.

https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureadmsnamedlocationpolicy?view=azu...

@pvanberlothanks. but i want to set IP based exceptions only. not interested in conditional access in this case.

@sachin011390 I understand what you're saying, however, Microsoft actually recommends using Azure AD Conditional Access for MFA purposes nowadays. I do not believe there is a programmatic or PowerShell way to change the "trusted IPs for per user MFA" and the portal is the only way to manage this interactively.

Trusted IPs all come over to conditional access as the "mfa trusted ips" named location. you can interact with named locations.
e.g.
New-MgIdentityConditionalAccessNamedLocation
https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/new-mgidentityco...