Very basic office 365 powershell MFA question, something has changed

%3CLINGO-SUB%20id%3D%22lingo-sub-2175720%22%20slang%3D%22en-US%22%3EVery%20basic%20office%20365%20powershell%20MFA%20question%2C%20something%20has%20changed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2175720%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20a%20very%20basic%20script%20to%20enable%20MFA%2C%20set%20SMS%20as%20default%20and%20define%20phone%20%23.%26nbsp%3B%20It%20worked%20great%20until%20recently.%26nbsp%3B%20Now%20it%20will%20enable%20MFA%20but%20when%20the%20user%20attempted%20to%20log%20in%26nbsp%3B%20for%20the%20first%20time%20MFA%20does%20not%20even%20attempt%20to%20send%20a%20text%20and%20gives%20the%20error%20shown%20below%20instantly.%26nbsp%3B%20I%20tried%20a%20different%20tenant%20and%20created%20an%20entire%20new%20account%20as%20a%20test%20just%20to%20see%20if%20I%20was%20missing%20something.%26nbsp%3B%20I%20compared%20user%20details%20between%20a%20working%20and%20non%20working%20MFA%20account%20and%20the%20only%20difference%20was%20the%20line%20%22%3CSTRONG%3EStrongAuthenticationUserDetails%22%3C%2FSTRONG%3E%26nbsp%3Bbut%20that%20may%20have%20just%20been%20due%20to%20the%20user%20not%20verifying%20%23%20and%20logging%26nbsp%3B%20in%20yet.%26nbsp%3B%20The%20user%20i%20compared%20with%20had%3CSTRONG%3E%26nbsp%3B%22Microsoft.Online.Administration.StrongAuthenticationUserDetails%22%26nbsp%3B%3C%2FSTRONG%3Ein%20that%20field.%26nbsp%3B%20%26nbsp%3BMay%20be%20a%20red%20herring%20but%20i'm%20not%20sure%20at%20this%20point.%3C%2FP%3E%3CP%3EThanks%3CBR%20%2F%3EDave%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22login.jpg%22%20style%3D%22width%3A%20722px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F259327iE0EB7D9CC8306AEB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22login.jpg%22%20alt%3D%22login.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%23Ensure%20to%20Connect-MsolService%20as%20tenant%20admin%20first%20(365admin%40)%2C%20WILL%20NOT%20work%20using%20delegate%20permissions.%0A%23This%20will%20prompt%20for%20email%20and%20phone%20%23.%20%20It%20will%20then%20enable%20MFA%2C%20add%20a%20phone%20%23%20and%20default%20to%20SMS%20for%20approval.%0A%0A%24User%20%3D%20Read-Host%20-Prompt%20'User%20email%20address'%0A%24mobilenumber%20%3D%22%2B1%20%22%20%2B%20(Read-Host%20-Prompt%20'User%20cell%20phone')%0ASet-MsolUser%20-UserPrincipalName%20%24user%20-MobilePhone%20%24mobilenumber%0A%0A%23enforce%20MFA%0A%24st%20%3D%20New-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationRequirement%0A%24st.RelyingParty%20%3D%20%22*%22%0A%24st.State%20%3D%20%E2%80%9CEnabled%E2%80%9D%0A%24sta%20%3D%20%40(%24st)%0A%0A%23Enable%20MFA%20for%20the%20user%0ASet-MsolUser%20-UserPrincipalName%20%24user%20-StrongAuthenticationRequirements%20%24sta%0A%0A%23Set%20SMS%20as%20default%20MFA%20method%20(Thanks%20GZ)%0A%24m1%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%0A%24m1.IsDefault%20%3D%20%24true%0A%24m1.MethodType%3D%22OneWaySMS%22%0A%24m%3D%40(%24m1)%0A%0A%23Set%20SMS%20as%20default%20%0Aset-msoluser%20-Userprincipalname%20%22%24user%22%20-StrongAuthenticationMethods%20%24m%0A%0A%23Display%20new%20mobile%20%23%0AGet-MsolUser%20-UserPrincipalName%20%24user%20%7C%20fl%20MobilePhone%0A%0A%0A%20%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2175720%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

I had a very basic script to enable MFA, set SMS as default and define phone #.  It worked great until recently.  Now it will enable MFA but when the user attempted to log in  for the first time MFA does not even attempt to send a text and gives the error shown below instantly.  I tried a different tenant and created an entire new account as a test just to see if I was missing something.  I compared user details between a working and non working MFA account and the only difference was the line "StrongAuthenticationUserDetails" but that may have just been due to the user not verifying # and logging  in yet.  The user i compared with had "Microsoft.Online.Administration.StrongAuthenticationUserDetails" in that field.   May be a red herring but i'm not sure at this point.

Thanks
Dave

 
 

login.jpg

 

 

#Ensure to Connect-MsolService as tenant admin first (365admin@), WILL NOT work using delegate permissions.
#This will prompt for email and phone #.  It will then enable MFA, add a phone # and default to SMS for approval.

$User = Read-Host -Prompt 'User email address'
$mobilenumber ="+1 " + (Read-Host -Prompt 'User cell phone')
Set-MsolUser -UserPrincipalName $user -MobilePhone $mobilenumber

#enforce MFA
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = “Enabled”
$sta = @($st)

#Enable MFA for the user
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta

#Set SMS as default MFA method (Thanks GZ)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $true
$m1.MethodType="OneWaySMS"
$m=@($m1)

#Set SMS as default 
set-msoluser -Userprincipalname "$user" -StrongAuthenticationMethods $m

#Display new mobile #
Get-MsolUser -UserPrincipalName $user | fl MobilePhone


 

 

 

 

0 Replies