Check/Change Authentication Type [O365]

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Dan Potter Dan Potter 2 weeks ago.

  • Author
    Posts
  • #68107
    Profile photo of Steven Switz
    Steven Switz
    Participant

    We're rolling out multifactor authentication (MFA) across the company and I'm trying to find a way in Powershell to look a person up and see their authentication type and then change it if necessary. It would be especially helpful to be able to change by GroupID as we're rolling it out by OU. Any ideas?

  • #68388
    Profile photo of Jeff Brown
    Jeff Brown
    Participant

    Hi Steven,

    This blog on TechNet has some PowerShell examples at the bottom of the page:
    https://blogs.technet.microsoft.com/office365/2015/08/25/powershell-enableenforce-multifactor-authentication-for-all-bulk-users-in-office-365/

    It looks like you could do something like this (I have not tested this):

    $auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $auth.RelyingParty = "*"
    $auth.State = "Enabled" # Options are Enabled or Enforced
    Set-MsolUser -UserPrincipalName  -StrongAuthenticationRequirements $auth

    If you have a CSV file with who is to be enabled, you could import it in a script and cycle through each user to enable them. Hopefully that points you in the right direction.

    • #68451
      Profile photo of Steven Switz
      Steven Switz
      Participant

      Thanks for pointing me in the right direction

  • #68448
    Profile photo of Steven Switz
    Steven Switz
    Participant

    I figured it out! It's not very elegant but it gets the job done:

    < #$jdoe = Get-Credential
    #Connect-MsolService -Credential $jdoe
    $users = Get-MsolUser -All
    
    # MULTIFACTOR STATUS
    foreach($user in $users){
        if($user.StrongAuthenticationRequirements.State -ne "Enforced"){
        #AUTH NOT ON
        Write-Host "NOT ON" $user.DisplayName -BackgroundColor red
        }else{
        #AUTH ON
        Write-Host "ON" $user.DisplayName
        }
    } 
    
    # MULTIFACTOR DETAILS BY ACTIVE USER
    
  • #68481
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Tip: Get in the habit of creating object rather than write-host. The data is then reusable. Write-host should be reserved for troubleshooting.

    
    
    $users = Get-MsolUser -All
    
    $authreport = foreach($user in $users){
        
    [pscustomobject]@{
    
    StrongAuth = $user.StrongAuthenticationRequirements.State
    DisplayName = $user.DisplayName
    
    
    }
    
    
    } 
    
    #authreport
    #$authreport | export-csv ...
    #$authreport | out-gridview
    #$authreport | ? {$_.strongauth -eq 'Enforced'}
    
    

You must be logged in to reply to this topic.