As an organization that values security, enabling Multi-Factor Authentication (MFA) for users in your Azure or Microsoft 365 tenant is essential. This article provides a thorough guide on how to enable, disable, or retrieve MFA status for users in Azure and Microsoft 365 using Azure Portal, Microsoft 365 Admin Center, and PowerShell.
Accessing MFA Status for All Users
You can view the MFA status for all users in your tenant through the following methods:- Microsoft 365 Admin Center: Navigate to Active Users > Multi-factor authentication.
- Azure Portal: Go to Azure AD > Users > Per-user MFA.
- Disabled: MFA is disabled (default for new users)
- Enabled: MFA is enabled, but users continue using standard authentication until they select the MFA method themselves.
- Enforced: Users will be required to register a second MFA factor at their next login.
Managing MFA for Users with PowerShell
To manage users’ MFA in Microsoft 365 and build reports, PowerShell offers more flexibility. You can enable/disable MFA for Azure (Microsoft 365) users using the MSOnline module or Microsoft Graph API.Installing the MSOnline Module and Connecting to Your Tenant
If you haven’t already, install the MSOnline module and connect to your tenant:Install-Module MSOnline
Import-Module MSOnline
Connect-MsolService
Retrieving MFA Information for a User
To get MFA information for a specific user, use theStrongAuthenticationMethods
attribute: Get-MsolUser –UserPrincipalName [email protected] | Select-Object UserPrincipalName, StrongAuthenticationMethods
If the
StrongAuthenticationMethods
attribute is not empty, MFA is enabled for the user. You can find out the configured MFA type for the user: (Get-MsolUser –UserPrincipalName [email protected]).StrongAuthenticationMethods
Microsoft Modern authentication allows four types of authentication as a second factor for users:
- OneWaySMS: Standard SMS message
- TwoWayVoiceMobile: One-time password received via a phone call
- PhoneAppOTP: One-time password (6-digit characters) using a hardware token or Microsoft Authenticator app
- PhoneAppNotification: Authentication using the Microsoft Authenticator app
Enabling MFA for an Azure User
To enable MFA for an Azure user, run the following command:$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $st.RelyingParty = "*" $st.State = "Enabled" $sta = @($st) Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements $sta
Forcing a User to Change Their Current MFA Method
To require a user to change their current MFA method, use this command:Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationMethods @()
Disabling MFA for a User
To disable MFA for a user, execute the following command:
Get-MsolUser -UserPrincipalName [email protected] | Set-MsolUser -StrongAuthenticationRequirements @()
Generating MFA Status Reports for All Users in an Azure Tenant
To generate MFA status reports for all users in an Azure tenant, use the following PowerShell script:
$Report = @() $AzUsers = Get-MsolUser -All ForEach ($AzUser in $AzUsers) { $DefaultMFAMethod
