Office 365: Enable Multi Factor Authentication with PowerShell

Now when Multi Factor Authentication is free in Office 365 for all users, you might want to automate the activation of the service. And yes, you guessed it right, the way to do that is with PowerShell! 🙂 If you are running Office 365 in a Small Business or Small Business premium plan, this is currently the only way to enable MFA.

In this case we use the Windows Azure Active Directory Module for Windows PowerShell, which can be downloaded from here.

Enable Multi-Factor Authentication for users with PowerShell
In order to enable MFA for a user with PowerShell, we need to use the the object Microsoft.Online.Administration.StrongAuthenticationRequirement and put that with some additional settings in to the StrongAuthenticationRequirements attribute.

Note: After enabling MFA, the user will have to login through the portal and enroll their MFA methods and eventual app passwords before they will be able to logon to the services again.

#Create the StrongAuthenticationRequirement object and insert required settings
$mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mf.RelyingParty = "*"
$mfa = @($mf)
#Enable MFA for a user
Set-MsolUser -UserPrincipalName aaron.beverly@365lab.net -StrongAuthenticationRequirements $mfa

#Enable MFA for all users (use with CAUTION!)
Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements $mfa

#Disable MFA for a user
$mfa = @()
Set-MsolUser -UserPrincipalName aaron.beverly@365lab.net -StrongAuthenticationRequirements $mfa

MFA_2

Find your Multi Factor Authentication enabled users
If we want to know what users that have MFA enabled, the attribute StrongAuthenticationRequirements tells us that a user has MFA enabled, and the attribute StrongAuthenticationMethods tells us that a user has enrolled their MFA methods (Phone, App, Text etc.).

#Find all MFA enabled users
Get-MsolUser | Where-Object {$_.StrongAuthenticationRequirements -like "*"}  | select UserPrincipalName,StrongAuthenticationMethods,StrongAuthenticationRequirements

#Find all MFA enabled users that have enrolled their MFA methods
Get-MsolUser | Where-Object {$_.StrongAuthenticationMethods -like "*"}  | select UserPrincipalName,StrongAuthenticationMethods,StrongAuthenticationRequirements

As seen in the screenshot below, only one of my MFA enabled users have actually enrolled their MFA methods.
MFA-Enabled-Enrolled

Not to hard, right? Consider adding this as a step for certain users (eg. admins or other user groups) in your automated process of enabling users in Office 365.

/Johan

Advertisements

3 thoughts on “Office 365: Enable Multi Factor Authentication with PowerShell

  1. Pingback: Office 365 – Multi Factor Authentication support part 1. – Enable MFA in tenant from admin point of view | FICILITY.NET

  2. Michael Carr

    Please note that users with two-factor authentication enabled CANNOT log in via PowerShell because Microsoft has not provided a way to do this. This means that administrators (the people with the most security access) must continue to use single-factor authentication. If you think PowerShell should allow two-factor authentication for administrators, vote for the idea here: https://office365.uservoice.com/forums/264636-general/suggestions/10630620-admin-to-use-o365-powershell-with-two-factor

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s