Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Azure / Enable or Disable MFA for Users in Azure/Microsoft 365

April 27, 2022 AzureMicrosoft 365PowerShell

Enable or Disable MFA for Users in Azure/Microsoft 365

You can enable, disable, or get the Multi-Factor Authentication (MFA) status for users in your Azure/Microsoft 365 tenant using Azure Portal, Microsoft 365 Admin Center, or PowerShell. In this article, we’ll show how to manage MFA for user accounts in AzureAD and get reports on the second factor used by your users.

We suppose that you manage MFA on a per-user basis and not with the Azure Conditional Access policies.

You can access a web page with the MFA status for all users in two ways:

  • Microsoft 365 Admin Center -> Active Users -> Multi-factor authentication.
  • Portal Azure -> Azure AD-> Users -> Per-user MFA

configure multi-factor authentication in Microsoft 365 Admin Center

You will see a list of all users in your tenant and the MFA status for each of them. Available MFA statuses are:

  • Disabled – multi-factor authentication is disabled (by default, for all new users);
  • Enabled – MFA is enabled, but a user is still using standard authentication until they select the MFA method themselves;
  • Enforced –  a user will be forced to register a second MFA factor at the next logon. Enable/disable MFA for Azure AD User

You can enable, disable, reset, or configure MFA for each user using buttons in the Quick Steps panel on the right.

The report doesn’t show if a user completed the MFA setup and which second factor he has selected. Also, you cannot export the contents of the page to a TXT/CSV file. It is easier to use PowerShell to manage users’ MFA in Microsoft 365 and build reports.

Now you can enable/disable MFA for Azure (Microsoft 365) users in PowerShell using the MSOnline module or Microsoft Graph API.

You cannot currently manage MFA with the latest version of the AzureAD module.

Install the MSOnline module (if needed) and connect to your tenant:

Install-Module MSOnline
Connect-MsolService

You can get the information about user MFA status from the StrongAuthenticationMethods attribute:

Get-MsolUser –UserPrincipalName t.muller@woshub.onmicrosoft.com | Select-Object UserPrincipalName,StrongAuthenticationMethods

If the StrongAuthenticationMethods attribute is not empty, then MFA is enabled for the user. You can find out what type of MFA is configured for the user:

(Get-MsolUser –UserPrincipalName t.muller@woshub.onmicrosoft.com). StrongAuthenticationMethods

The screenshot below shows that the user has Microsoft Authenticator App enabled as a second MFA factor (PhoneAppNotification — IsDefault=True ).

get mfa status and auth method of azure ad user with powershell

Microsoft Modern authentication allows four types of authentication as a second factor for users:

  • OneWaySMS – standard SMS message;
  • TwoWayVoiceMobile – a user gets a one-time password in a phone call;
  • PhoneAppOTP – a user gets a one-time password (6 digital characters) using a hardware token or Microsoft Authenticator app;
  • PhoneAppNotification – authentication using the Microsoft Authenticator app.

To enable MFA for an Azure user:

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName t.muller@woshub.onmicrosoft.com -StrongAuthenticationRequirements $sta

To force a user to change their current MFA method:

Set-MsolUser -UserPrincipalName t.muller@woshub.onmicrosoft.com -StrongAuthenticationMethods @()

To disable MFA for a user:

Get-MsolUser -UserPrincipalName t.muller@woshub.onmicrosoft.com | Set-MsolUser -StrongAuthenticationRequirements @()

You can use the following PowerShell script to get the MFA status for all users in an Azure tenant:

$Report = @()
$AzUsers = Get-MsolUser -All
ForEach ($AzUser in $AzUsers) {
$DefaultMFAMethod = ($AzUser.StrongAuthenticationMethods | ? { $_.IsDefault -eq "True" }).MethodType
$MFAState = $AzUser.StrongAuthenticationRequirements.State
if ($MFAState -eq $null) {$MFAState = "Disabled"}
$objReport = [PSCustomObject]@{
User = $AzUser.UserPrincipalName
MFAState = $MFAState
MFAPhone = $AzUser.StrongAuthenticationUserDetails.PhoneNumber
MFAMethod = $DefaultMFAMethod
}
$Report += $objReport
}
$Report

You can export the MFA report to a CSV file:

$Report| Export-CSV -NoTypeInformation -Encoding UTF8 c:\Reports\AzureUsersMFAstatus.csv

Or into an Out-GridView table:

$Report | Out-GridView

powershell - build azure users mfa report

The script is available in my GitHub repository: https://github.com/maxbakhub/winposh/blob/main/Azure/GetAzureMFAUsersReport.ps1

0 comment
0
Facebook Twitter Google + Pinterest
previous post
Fix: You’ll Need a New App to Open This Windows Defender Link
next post
Updating VMware ESXi Host from the Command Line

Related Reading

How to Remove (Demote) a Domain Controller in...

August 16, 2022

Managing Microsoft Teams with PowerShell

August 15, 2022

Manage Groups in Azure AD and Microsoft 365...

July 15, 2022

Invoke-WebRequest: Perform HTTP Requests, Download Files, Parse Web...

July 13, 2022

Configuring Port Forwarding in Windows

July 13, 2022

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • How to Remove (Demote) a Domain Controller in Active Directory?

    August 16, 2022
  • Configure SSL Connection Encryption in MS SQL Server

    August 15, 2022
  • Managing Microsoft Teams with PowerShell

    August 15, 2022
  • Using Windows Update Delivery Optimization in Local Networks

    July 21, 2022
  • How to Enable Two-Factor Authentication (2FA) for SSH on Linux?

    July 21, 2022
  • How to Install and Configure OpenVPN Server on Windows?

    July 18, 2022
  • Manage Groups in Azure AD and Microsoft 365 Using PowerShell

    July 15, 2022
  • Windows Setup Couldn’t Create a New Partition

    July 15, 2022
  • Invoke-WebRequest: Perform HTTP Requests, Download Files, Parse Web with PowerShell

    July 13, 2022
  • Configuring Port Forwarding in Windows

    July 13, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Whitelist Domains and Email Addresses on Exchange Server and Microsoft 365
  • Checking User Sign-in Logs in Azure AD (Microsoft 365)
  • How to Reset User Password in Azure Active Directory (Microsoft 365)?
  • Enabling Modern or Basic Authentication for Microsoft 365
  • Get User or Group Creation Date in Azure AD (or MS365) with PowerShell
  • Manage Groups in Azure AD and Microsoft 365 Using PowerShell
  • How to Hide Users and Groups from the Global Address List on Exchange/Office 365?
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top