Azure Active Directory authentication – Configuring Multi-Factor Authentication (MFA) – PowerShell cmdlets – Part 6
Hi All,
LIFE IS BEAUTIFUL 🙂 I hope we all are safe:) STAY SAFE, STAY HEALTHY 🙂 STAY HOME 🙂
In last couple of articles we are discussing about Azure AD and authentications
- Cloud Security- Introduction to Azure Security and Azure Security Center
- Cloud Security – Azure Active Directory authentication – Part 1
- Cloud Security – Azure Active Directory authentication – self-service password reset – Part 2
- Cloud Security – Azure Active Directory authentication – Configuring Multi Factor Authentication (MFA) – Part 3
- Cloud Security – Azure Active Directory authentication – Configuring Multi-Factor Authentication (MFA) with Conditional Access – Part 4
- Cloud Security – Azure Active Directory authentication – Configuring Multi-Factor Authentication (MFA) – Bulk user update – Part 5
In this article we will discuss the PowerShell cmdlets for the configuring Multi-Factor authentication .
Take Away From This Article:
- How to configure Multi-Factor authentication using PowerShell cmdlets
So lets begin the FUN 🙂 Lets explore few important PowerShell cmdlets related to Azure Multi-Factor authentication.
We need to connect using Connect-MsolService to the Azure Active Directory.
To get default authentication methods available
$user = Get-MsolUser -UserPrincipalName
prasham@knowledgejunction1.onmicrosoft.com
$user.StrongAuthenticationMethods
As we know there are following three states for any user account for Multi-Factor authentication
- Enabled
- Disabled – Default state for new user.
- Enforce
To know whether Multi-Factor authentication is enabled or disabled for the given users
$user = Get-MsolUser -UserPrincipalName
prasham1@knowledgejunction1.onmicrosoft.com
$user.StrongAuthenticationRequirements
There is “State” property of StrongAuthenticationRequirements of user property as shown in above Fig.
Following are sample cmdlets just to explore more in details
#getting user details for - prasham1@knowledgejunction1.onmicrosoft.com
$user = Get-MsolUser -UserPrincipalName
prasham1@knowledgejunction1.onmicrosoft.com
#displaying user details
$user
#displaying users MFA details
$user.StrongAuthenticationRequirements
#getting user details for - prasham1@knowledgejunction1.onmicrosoft.com
$user = Get-MsolUser -UserPrincipalName
prasham1@knowledgejunction1.onmicrosoft.com
#displaying user details
$user
#displaying users MFA state - only shows state - Enabled or null if it is #disabled
$user.StrongAuthenticationRequirements.State
#getting another user details - prasham@knowledgejunction1.onmicrosoft.com
$user1 = Get-MsolUser -UserPrincipalName
prasham@knowledgejunction1.onmicrosoft.com
#displaying user details
$user1
#displaying users MFA details - Here note MFA is disabled for the given user
$user1.StrongAuthenticationRequirements
When Multi-Factor authentication for the user is disabled , “StrongAuthenticationRequirements” returns empty as shown in above Fig. For user “prasham@knowledgejunction1.onmicrosoft.com” Multi-Factor authentication is disabled. So user1.StrongAuthenticationRequirements returns nothing.
To change the state of Multi-Factor authentication for user – In below example we are disabling MFA status for the user – “prasham1@knowledgejunction1.onmicrosoft.com”
#check the state for user => "prasham1@knowledgejunction1.onmicrosoft.com" #=> now its enabled
$user = Get-MsolUser -UserPrincipalName prasham1@knowledgejunction1.onmicrosoft.com
$user
$user.StrongAuthenticationRequirements
#Disabled the Multi-Factor authentication for above user
Get-MsolUser -UserPrincipalName prasham1@knowledgejunction1.onmicrosoft.com
| Set-MsolUser -StrongAuthenticationRequirements @()
$user = Get-MsolUser -UserPrincipalName
prasham1@knowledgejunction1.onmicrosoft.com
$user.StrongAuthenticationRequirements
To enable Multi-Factor authentication for given user – We need to create the instance of “Microsoft.Online.Administration.StrongAuthenticationRequirement” and update the State property
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements $staSimilarly, we could have bulk user update, we could read users from CSV file and loop through to update respective status mentioned in .CSV file. Following is the sample code: Updating Multi-Factor authentication for bulk users
Import-Csv .\users.csv | ForEach-Object {
$user = Get-MsolUser -UserPrincipalName $($_.Username)
if($_.MFAStatus -ne "Disabled") {
$st = New-Object -TypeName
Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}
else
{
Get-MsolUser -UserPrincipalName $($_.Username) | Set-MsolUser
-StrongAuthenticationRequirements @()
}We have very good series on Azure, lots of discussion on Azure, please visit – https://knowledge-junction.in/?s=azure
Thanks for reading 🙂 If its worth at least reading once, kindly please like and share. SHARING IS CARING 🙂
Enjoy the beautiful life 🙂 Have a FUN 🙂 HAVE A SAFE LIFE 🙂 TAKE CARE 🙂
1 Response
[…] Cloud Security – Azure Active Directory authentication – Configuring Multi-Factor Authentication… […]
You must log in to post a comment.