Tag Archives: azure multi factor authentication

Office 365: Enable Multi Factor Authentication with PowerShell

Now when Multi Factor Authentication is free in Office 365 for all users, you might want to automate the activation of the service. And yes, you guessed it right, the way to do that is with PowerShell! 🙂 If you are running Office 365 in a Small Business or Small Business premium plan, this is currently the only way to enable MFA.

In this case we use the Windows Azure Active Directory Module for Windows PowerShell, which can be downloaded from here.

Enable Multi-Factor Authentication for users with PowerShell
In order to enable MFA for a user with PowerShell, we need to use the the object Microsoft.Online.Administration.StrongAuthenticationRequirement and put that with some additional settings in to the StrongAuthenticationRequirements attribute.

Note: After enabling MFA, the user will have to login through the portal and enroll their MFA methods and eventual app passwords before they will be able to logon to the services again.

#Create the StrongAuthenticationRequirement object and insert required settings
$mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mf.RelyingParty = "*"
$mfa = @($mf)
#Enable MFA for a user
Set-MsolUser -UserPrincipalName aaron.beverly@365lab.net -StrongAuthenticationRequirements $mfa

#Enable MFA for all users (use with CAUTION!)
Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements $mfa

#Disable MFA for a user
$mfa = @()
Set-MsolUser -UserPrincipalName aaron.beverly@365lab.net -StrongAuthenticationRequirements $mfa


Find your Multi Factor Authentication enabled users
If we want to know what users that have MFA enabled, the attribute StrongAuthenticationRequirements tells us that a user has MFA enabled, and the attribute StrongAuthenticationMethods tells us that a user has enrolled their MFA methods (Phone, App, Text etc.).

#Find all MFA enabled users
Get-MsolUser | Where-Object {$_.StrongAuthenticationRequirements -like "*"}  | select UserPrincipalName,StrongAuthenticationMethods,StrongAuthenticationRequirements

#Find all MFA enabled users that have enrolled their MFA methods
Get-MsolUser | Where-Object {$_.StrongAuthenticationMethods -like "*"}  | select UserPrincipalName,StrongAuthenticationMethods,StrongAuthenticationRequirements

As seen in the screenshot below, only one of my MFA enabled users have actually enrolled their MFA methods.

Not to hard, right? Consider adding this as a step for certain users (eg. admins or other user groups) in your automated process of enabling users in Office 365.


Windows Azure Multi Factor Authentication in Office 365

Windows Azure Multi Factor Authentication is a great service/Product that gives you a complete MFA solution both on premise and in the cloud. The best thing is that as of yesterday, it’s free for all accounts and not just for admin accounts.

Now you don’t have any excuses to not secure your admin accounts that have potentially access to multiple thousands of email accounts and other sensitive information.

One thing that I have not been testing until today, was to activate MFA for a Federated Administrator(DirSynced account with global administrator rights).
It works completely transparent for the user/admin, they just log on as they normally do to the ADFS server, and then the Azure MFA will kick in and require additional authentication.
How awesome is that?

Here’s how to activate MFA for an admin user (regardless if you’re using ADFS or not):

1. Logon to the O365-portal, under users and groups, find the “Set Multi-factor authentication requirements” row and click “Set up”.
2014-02-10 19-17-06

2. Choose the account(s) that you want to enable MFA for and click enable and then enable MFA.
2014-02-10 19-22-30
2014-02-10 19-27-38

3. After activated MFA, at next logon, the admin have to put in additional info about the second factor of authentication preferred. See the process to enroll devices as follows.
2014-02-10 19-37-24
Personally, I prefer using the mobile app as a second factor of authentication since its the easiest method, but it’s also possible to use text messages and phone for that.
2014-02-10 19-42-52
After verifying the activation with the Multi Factor Authentication app in my phone, I’m almost set, apart from one thing.
If you indend to use this account to connect to Office 365 with Outlook or ActiveSync, you will also need to create one or more app passwords that will be static passwords that can be used in cases where MFA doesn’t work.
2014-02-10 19-54-14

After creating eventual app passwords, you have now configured the specific account for multi factor authentication. Note that Microsoft is planning to add native multi-factor authentication for applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell, and OneDrive for Business, with a release date planned for later in 2014.

Was it Hard? – No!
Should you use it whenever possible? – Yes!

Now, what’s your excuse to not activate Windows Azure Multi Factor Authentication for your Admin accounts?