Azure AD Snippets
All commands snippets assumes the following:
- AzureAD cmdlet installed
- Msolservice cmdlet installed
- Sign in user has the appropriate AAD role assigned to perform mentioned tasks
MFA registered but authentication to services still fail
To verify if MFA is registered successfully from AAD perspective, execute the following:
Connect-MsolService
get-msoluser -UserPrincipalName "[email protected]" | Select-Object DisplayName, StrongAuthenticationMethods, StrongAuthenticationPhoneDetail
- Ensure user signed in is minimally User Administrator
- Verify if the result is something as below:
| Display Name | StrongAuthenticationMethod |
|---|---|
| [email protected] | {} |
If result is as above, it meant that AAD did not detect a change in MFA registration and thus still flagged as not registered even though user had already added MFA device to profile.
As a precaution, cross check in Azure Portal user's audit logs to ensure that user successfully registered MFA device.
Execute the following to force AAD to recognize MFA device registration:
$user = get-msoluser -UserPrincipalName "[email protected]"
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="PhoneAppOTP"
$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $True
$m2.MethodType="PhoneAppNotification"
$m=@($m1,$m2)
set-msoluser -UserPrincipalName $user.UserPrincipalName -StrongAuthenticationMethods $m
Above script assumes powershell session was already signed in with a AAD account with minimally User Administrator role
Re-run the first powershell command again and you should see the following now:
| Display Name | StrongAuthenticationMethod |
|---|---|
| [email protected] |
Users can now try authenticating with services again.
Export MFA registration rate for users using certain domain
Require minimally Global Reader AAD account
Below command will do the following:
- Get all users with certain domain name
- Select DisplayName, UserPrincipalName, Department
- Create a custom column with Name “MFA Status”
MFA Status column with the following Expression:
- If StrongAuthenticationMethods is not null, the value will be “enabled”, else it will be “disable”
Connect-MsolService
Get-MsolUser -DomainName "abc.efg.com" -All | Select DisplayName, UserPrincipalName, Department, @{N="MFA Status"; E={ if($_.StrongAuthenticationMethods -ne $null){" Enabled"} else { "Disabled"}}}
Mass Reset of MFA
Require minimally User Administrator AAD account
- Create a excel csv file
upn.csvwith 1 column namedUPNwhich contains all the UPNs that MFA reset is required. - Launch powershell and navigate to the same folder as above excel file
- Execute below powershell command:
Import-Csv upn.csv | % { Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $_.UPN}