Author Posts

April 6, 2017 at 12:59 pm

We're rolling out multifactor authentication (MFA) across the company and I'm trying to find a way in Powershell to look a person up and see their authentication type and then change it if necessary. It would be especially helpful to be able to change by GroupID as we're rolling it out by OU. Any ideas?

April 10, 2017 at 2:08 am

Hi Steven,

This blog on TechNet has some PowerShell examples at the bottom of the page:
https://blogs.technet.microsoft.com/office365/2015/08/25/powershell-enableenforce-multifactor-authentication-for-all-bulk-users-in-office-365/

It looks like you could do something like this (I have not tested this):

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = "*"
$auth.State = "Enabled" # Options are Enabled or Enforced
Set-MsolUser -UserPrincipalName  -StrongAuthenticationRequirements $auth

If you have a CSV file with who is to be enabled, you could import it in a script and cycle through each user to enable them. Hopefully that points you in the right direction.

April 10, 2017 at 7:04 pm

I figured it out! It's not very elegant but it gets the job done:

< #$jdoe = Get-Credential
#Connect-MsolService -Credential $jdoe
$users = Get-MsolUser -All

# MULTIFACTOR STATUS
foreach($user in $users){
    if($user.StrongAuthenticationRequirements.State -ne "Enforced"){
    #AUTH NOT ON
    Write-Host "NOT ON" $user.DisplayName -BackgroundColor red
    }else{
    #AUTH ON
    Write-Host "ON" $user.DisplayName
    }
} 

# MULTIFACTOR DETAILS BY ACTIVE USER

April 10, 2017 at 7:08 pm

Thanks for pointing me in the right direction

April 11, 2017 at 1:30 pm

Tip: Get in the habit of creating object rather than write-host. The data is then reusable. Write-host should be reserved for troubleshooting.



$users = Get-MsolUser -All

$authreport = foreach($user in $users){
    
[pscustomobject]@{

StrongAuth = $user.StrongAuthenticationRequirements.State
DisplayName = $user.DisplayName


}


} 

#authreport
#$authreport | export-csv ...
#$authreport | out-gridview
#$authreport | ? {$_.strongauth -eq 'Enforced'}