Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Azure / Enable or Disable MFA for Users in Azure/Microsoft 365

April 27, 2022 AzureMicrosoft 365PowerShell

Enable or Disable MFA for Users in Azure/Microsoft 365

You can enable, disable, or get the Multi-Factor Authentication (MFA) status for users in your Azure/Microsoft 365 tenant using Azure Portal, Microsoft 365 Admin Center, or PowerShell. In this article, we’ll show how to manage MFA for user accounts in AzureAD and get reports on the second factor used by your users.

We suppose that you manage MFA on a per-user basis and not with the Azure Conditional Access policies.

You can access a web page with the MFA status for all users in two ways:

  • Microsoft 365 Admin Center -> Active Users -> Multi-factor authentication.
  • Portal Azure -> Azure AD-> Users -> Per-user MFA

configure multi-factor authentication in Microsoft 365 Admin Center

You will see a list of all users in your tenant and the MFA status for each of them. Available MFA statuses are:

  • Disabled – multi-factor authentication is disabled (by default, for all new users);
  • Enabled – MFA is enabled, but a user is still using standard authentication until they select the MFA method themselves;
  • Enforced –  a user will be forced to register a second MFA factor at the next logon. Enable/disable MFA for Azure AD User

You can enable, disable, reset, or configure MFA for each user using buttons in the Quick Steps panel on the right.

The report doesn’t show if a user completed the MFA setup and which second factor he has selected. Also, you cannot export the contents of the page to a TXT/CSV file. It is easier to use PowerShell to manage users’ MFA in Microsoft 365 and build reports.

Now you can enable/disable MFA for Azure (Microsoft 365) users in PowerShell using the MSOnline module or Microsoft Graph API.

You cannot currently manage MFA with the latest version of the AzureAD module.

Install the MSOnline module (if needed) and connect to your tenant:

Install-Module MSOnline
Connect-MsolService

You can get the information about user MFA status from the StrongAuthenticationMethods attribute:

Get-MsolUser –UserPrincipalName t.muller@woshub.onmicrosoft.com | Select-Object UserPrincipalName,StrongAuthenticationMethods

If the StrongAuthenticationMethods attribute is not empty, then MFA is enabled for the user. You can find out what type of MFA is configured for the user:

(Get-MsolUser –UserPrincipalName t.muller@woshub.onmicrosoft.com). StrongAuthenticationMethods

The screenshot below shows that the user has Microsoft Authenticator App enabled as a second MFA factor (PhoneAppNotification — IsDefault=True ).

get mfa status and auth method of azure ad user with powershell

Microsoft Modern authentication allows four types of authentication as a second factor for users:

  • OneWaySMS – standard SMS message;
  • TwoWayVoiceMobile – a user gets a one-time password in a phone call;
  • PhoneAppOTP – a user gets a one-time password (6 digital characters) using a hardware token or Microsoft Authenticator app;
  • PhoneAppNotification – authentication using the Microsoft Authenticator app.

To enable MFA for an Azure user:

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName t.muller@woshub.onmicrosoft.com -StrongAuthenticationRequirements $sta

To force a user to change their current MFA method:

Set-MsolUser -UserPrincipalName t.muller@woshub.onmicrosoft.com -StrongAuthenticationMethods @()

To disable MFA for a user:

Get-MsolUser -UserPrincipalName t.muller@woshub.onmicrosoft.com | Set-MsolUser -StrongAuthenticationRequirements @()

You can use the following PowerShell script to get the MFA status for all users in an Azure tenant:

$Report = @()
$AzUsers = Get-MsolUser -All
ForEach ($AzUser in $AzUsers) {
$DefaultMFAMethod = ($AzUser.StrongAuthenticationMethods | ? { $_.IsDefault -eq "True" }).MethodType
$MFAState = $AzUser.StrongAuthenticationRequirements.State
if ($MFAState -eq $null) {$MFAState = "Disabled"}
$objReport = [PSCustomObject]@{
User = $AzUser.UserPrincipalName
MFAState = $MFAState
MFAPhone = $AzUser.StrongAuthenticationUserDetails.PhoneNumber
MFAMethod = $DefaultMFAMethod
}
$Report += $objReport
}
$Report

You can export the MFA report to a CSV file:

$Report| Export-CSV -NoTypeInformation -Encoding UTF8 c:\Reports\AzureUsersMFAstatus.csv

Or into an Out-GridView table:

$Report | Out-GridView

powershell - build azure users mfa report

The script is available in my GitHub repository: https://github.com/maxbakhub/winposh/blob/main/Azure/GetAzureMFAUsersReport.ps1

1 comment
1
Facebook Twitter Google + Pinterest
previous post
Fix: You’ll Need a New App to Open This Windows Defender Link
next post
Updating VMware ESXi Host from the Command Line

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

View Success and Failed Local Logon Attempts on...

May 2, 2023

Fix: “Something Went Wrong” Error When Installing Teams

May 2, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Checking User Sign-in Logs in Azure AD (Microsoft 365)
  • Whitelist Domains and Email Addresses on Exchange Server and Microsoft 365
  • Enabling Modern or Basic Authentication for Microsoft 365
  • How to Reset User Password in Azure Active Directory (Microsoft 365)?
  • Regional Mailbox Settings (Language, TimeZone) in Outlook, Exchange, and Microsoft 365
  • IdFix: Preparing On-Prem Active Directory Sync with Azure
  • Configuring UserPrincipalName and UPN Suffixes in Active Directory
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top