Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Azure / Enable or Disable MFA for Users in Azure/Microsoft 365

April 27, 2022 AzureMicrosoft 365PowerShell

Enable or Disable MFA for Users in Azure/Microsoft 365

You can enable, disable, or get the Multi-Factor Authentication (MFA) status for users in your Azure/Microsoft 365 tenant using Azure Portal, Microsoft 365 Admin Center, or PowerShell. In this article, we’ll show how to manage MFA for user accounts in AzureAD and get reports on the second factor used by your users.

We suppose that you manage MFA on a per-user basis and not with the Azure Conditional Access policies.

You can access a web page with the MFA status for all users in two ways:

  • Microsoft 365 Admin Center -> Active Users -> Multi-factor authentication.
  • Portal Azure -> Azure AD-> Users -> Per-user MFA

configure multi-factor authentication in Microsoft 365 Admin Center

You will see a list of all users in your tenant and the MFA status for each of them. Available MFA statuses are:

  • Disabled – multi-factor authentication is disabled (by default, for all new users);
  • Enabled – MFA is enabled, but a user is still using standard authentication until they select the MFA method themselves;
  • Enforced –  a user will be forced to register a second MFA factor at the next logon. Enable/disable MFA for Azure AD User

You can enable, disable, reset, or configure MFA for each user using buttons in the Quick Steps panel on the right.

The report doesn’t show if a user completed the MFA setup and which second factor he has selected. Also, you cannot export the contents of the page to a TXT/CSV file. It is easier to use PowerShell to manage users’ MFA in Microsoft 365 and build reports.

Now you can enable/disable MFA for Azure (Microsoft 365) users in PowerShell using the MSOnline module or Microsoft Graph API.

You cannot currently manage MFA with the latest version of the AzureAD module.

Install the MSOnline module (if needed) and connect to your tenant:

Install-Module MSOnline
Connect-MsolService

You can get the information about user MFA status from the StrongAuthenticationMethods attribute:

Get-MsolUser –UserPrincipalName t.muller@woshub.onmicrosoft.com | Select-Object UserPrincipalName,StrongAuthenticationMethods

If the StrongAuthenticationMethods attribute is not empty, then MFA is enabled for the user. You can find out what type of MFA is configured for the user:

(Get-MsolUser –UserPrincipalName t.muller@woshub.onmicrosoft.com). StrongAuthenticationMethods

The screenshot below shows that the user has Microsoft Authenticator App enabled as a second MFA factor (PhoneAppNotification — IsDefault=True ).

get mfa status and auth method of azure ad user with powershell

Microsoft Modern authentication allows four types of authentication as a second factor for users:

  • OneWaySMS – standard SMS message;
  • TwoWayVoiceMobile – a user gets a one-time password in a phone call;
  • PhoneAppOTP – a user gets a one-time password (6 digital characters) using a hardware token or Microsoft Authenticator app;
  • PhoneAppNotification – authentication using the Microsoft Authenticator app.

To enable MFA for an Azure user:

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName t.muller@woshub.onmicrosoft.com -StrongAuthenticationRequirements $sta

To force a user to change their current MFA method:

Set-MsolUser -UserPrincipalName t.muller@woshub.onmicrosoft.com -StrongAuthenticationMethods @()

To disable MFA for a user:

Get-MsolUser -UserPrincipalName t.muller@woshub.onmicrosoft.com | Set-MsolUser -StrongAuthenticationRequirements @()

You can use the following PowerShell script to get the MFA status for all users in an Azure tenant:

$Report = @()
$AzUsers = Get-MsolUser -All
ForEach ($AzUser in $AzUsers) {
$DefaultMFAMethod = ($AzUser.StrongAuthenticationMethods | ? { $_.IsDefault -eq "True" }).MethodType
$MFAState = $AzUser.StrongAuthenticationRequirements.State
if ($MFAState -eq $null) {$MFAState = "Disabled"}
$objReport = [PSCustomObject]@{
User = $AzUser.UserPrincipalName
MFAState = $MFAState
MFAPhone = $AzUser.StrongAuthenticationUserDetails.PhoneNumber
MFAMethod = $DefaultMFAMethod
}
$Report += $objReport
}
$Report

You can export the MFA report to a CSV file:

$Report| Export-CSV -NoTypeInformation -Encoding UTF8 c:\Reports\AzureUsersMFAstatus.csv

Or into an Out-GridView table:

$Report | Out-GridView

powershell - build azure users mfa report

The script is available in my GitHub repository: https://github.com/maxbakhub/winposh/blob/main/Azure/GetAzureMFAUsersReport.ps1

0 comment
0
Facebook Twitter Google + Pinterest
previous post
Fix: You’ll Need a New App to Open This Windows Defender Link
next post
Updating VMware ESXi Host from the Command Line

Related Reading

Create Organizational Units (OU) Structure in Active Directory...

May 17, 2022

Windows Security Won’t Open or Shows a Blank...

May 17, 2022

How to Manually Install Windows Updates from CAB...

May 16, 2022

Fix: You’ll Need a New App to Open...

April 27, 2022

How to Reset an Active Directory User Password...

April 27, 2022

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Create Organizational Units (OU) Structure in Active Directory with PowerShell

    May 17, 2022
  • Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11

    May 17, 2022
  • How to Manually Install Windows Updates from CAB and MSU Files?

    May 16, 2022
  • RDS and RemoteApp Performance Issues on Windows Server 2019/2016

    May 16, 2022
  • Deploying Software (MSI Packages) Using Group Policy

    May 12, 2022
  • Updating VMware ESXi Host from the Command Line

    May 11, 2022
  • Enable or Disable MFA for Users in Azure/Microsoft 365

    April 27, 2022
  • Fix: You’ll Need a New App to Open This Windows Defender Link

    April 27, 2022
  • How to Reset an Active Directory User Password with PowerShell and ADUC?

    April 27, 2022
  • How to Completely Uninstall Previous Versions of Office with Removal Scripts?

    April 26, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Whitelist Domains and Email Addresses on Exchange Server and Microsoft 365
  • Checking User Sign-in Logs in Azure AD (Microsoft 365)
  • Enabling Modern or Basic Authentication for Microsoft 365
  • Regional Mailbox Settings (Language, TimeZone) in Outlook, Exchange, and Microsoft 365
  • IdFix: Preparing On-Prem Active Directory Sync with Azure
  • Configuring UserPrincipalName and UPN Suffixes in Active Directory
  • Using Microsoft Graph API to Access Azure via PowerShell
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top