Azure

    Managing MFA for Users in Azure and Microsoft 365: A Comprehensive Guide

    By Updated:No Comments3 Mins Read
    As an organization that values security, enabling Multi-Factor Authentication (MFA) for users in your Azure or Microsoft 365 tenant is essential. This article provides a thorough guide on how to enable, disable, or retrieve MFA status for users in Azure and Microsoft 365 using Azure Portal, Microsoft 365 Admin Center, and PowerShell.

    Accessing MFA Status for All Users

    You can view the MFA status for all users in your tenant through the following methods:
    1. Microsoft 365 Admin Center: Navigate to Active Users > Multi-factor authentication.
    2. Azure Portal: Go to Azure AD > Users > Per-user MFA.
    The MFA statuses available for each user are:
    • Disabled: MFA is disabled (default for new users)
    • Enabled: MFA is enabled, but users continue using standard authentication until they select the MFA method themselves.
    • Enforced: Users will be required to register a second MFA factor at their next login.

    Managing MFA for Users with PowerShell

    To manage users’ MFA in Microsoft 365 and build reports, PowerShell offers more flexibility. You can enable/disable MFA for Azure (Microsoft 365) users using the MSOnline module or Microsoft Graph API.

    Installing the MSOnline Module and Connecting to Your Tenant

    If you haven’t already, install the MSOnline module and connect to your tenant:
    Copy Text 
    Install-Module MSOnline
Import-Module MSOnline
Connect-MsolService

    Retrieving MFA Information for a User

    To get MFA information for a specific user, use the StrongAuthenticationMethods attribute:
    Copy Text 
    Get-MsolUser –UserPrincipalName [email protected] | Select-Object UserPrincipalName, StrongAuthenticationMethods
    If the StrongAuthenticationMethods attribute is not empty, MFA is enabled for the user. You can find out the configured MFA type for the user:
    Copy Text 
    (Get-MsolUser –UserPrincipalName [email protected]).StrongAuthenticationMethods

    Microsoft Modern authentication allows four types of authentication as a second factor for users:

    • OneWaySMS: Standard SMS message
    • TwoWayVoiceMobile: One-time password received via a phone call
    • PhoneAppOTP: One-time password (6-digit characters) using a hardware token or Microsoft Authenticator app
    • PhoneAppNotification: Authentication using the Microsoft Authenticator app

    Enabling MFA for an Azure User

    To enable MFA for an Azure user, run the following command:
    Copy Text 
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $st.RelyingParty = "*" $st.State = "Enabled" $sta = @($st) Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements $sta

    Forcing a User to Change Their Current MFA Method

    To require a user to change their current MFA method, use this command:
    Copy Text 
    Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationMethods @()

    Disabling MFA for a User

    To disable MFA for a user, execute the following command:

    Copy Text 
    Get-MsolUser -UserPrincipalName [email protected] | Set-MsolUser -StrongAuthenticationRequirements @()

    Generating MFA Status Reports for All Users in an Azure Tenant

    To generate MFA status reports for all users in an Azure tenant, use the following PowerShell script:

    Copy Text 
    $Report = @() $AzUsers = Get-MsolUser -All ForEach ($AzUser in $AzUsers) { $DefaultMFAMethod
    Share.

    Leave A Reply