PowerShell Enable MFA for Office 365 Users

If you don’t have an Azure AD Premium license then you only have two options to enable MFA for your Office 365 users, turn it on for all users with the security defaults or manually for each user in the Admin Center > Active Users > Multi-factor Authentication.

Enable MFA Office 365

Enabling MFA for each user manually can be a hideous task and is something you will have to do every time you create a new user. With PowerShell, we can easily select a group of users and enable MFA for them.

If you even combine it with the script to find users without MFA enabled you can automate the whole process.

Enable Multi-Factor Authentication for Office 365 Users with PowerShell

Before we start with enabling MFA in Office 365 with PowerShell we need to connect to the Microsoft Online Service:

Connect-MsolService

To enable MFA with PowerShell we first need to create a StrongAuthenticationRequirement object with the required parameters. Next, we can set this object on each user that we want to enable MFA for.

# Create the StrongAuthenticationRequirement Object
$sa = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$sa.RelyingParty = "*"
$sa.State = "Enabled"
$sar = @($sa)

# Enable MFA for the user
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sar

I have wrapped this in a function so we can easily pipe this behind another cmdlet (to select the users or based on a CSV file). The function will try to enable MFA for each user and output an object with the users and the status of MFA.

Function Set-MFAforUser {
<#
  .Synopsis
    Enables MFA for an Office 365 User

  .DESCRIPTION
    Enable MFA for a user, you can turn it on for a single user or input a list of users

  .NOTES
    Name: Set-MFAforUser
    Author: R. Mens - LazyAdmin.nl
    Version: 1.0
    DateCreated: jan 2021
    Purpose/Change: Initial script development

  .LINK
    https://lazyadmin.nl

  .EXAMPLE
    Set-MFAforUser -UserPrincipalName [email protected]

    Enable MFA for the user John Doe

  .EXAMPLE
	  Import-Csv -Delimiter ";" -Path ("path\to\file\users-to-enable.csv") | Foreach-Object { Set-MFAforUser $_.UserPrincipalName }

    Enable MFA for all users in a CSV file
#>
 [CmdletBinding(DefaultParameterSetName="Default")]
  param(
    [Parameter(
      Mandatory = $true,
      ValueFromPipeline = $true,
      ValueFromPipelineByPropertyName = $true,
      ParameterSetName  = "UserPrincipalName",
      Position = 0
      )]
    # Enter a single UserPrincipalName or a comma separted list of UserPrincipalNames
    [string[]]$UserPrincipalName
	)

Begin {}

Process {
	if ($PSBoundParameters.ContainsKey('UserPrincipalName')) {
		foreach ($user in $UserPrincipalName) {
			try {
		    # Src: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
		    $sa = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
		    $sa.RelyingParty = "*"
		    $sa.State = "Enabled"
		    $sar = @($sa)

		    # Change the following UserPrincipalName to the user you wish to change state
		    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sar -ErrorAction Stop

		    [PSCustomObject]@{
			    UserPrincipalName = $user
			    MFAEnabled        = $true
		    }
	    }
	    catch {
		    [PSCustomObject]@{
			    UserPrincipalName = $user
			    MFAEnabled        = $false
		    }
	    }
	 }
	}else{
		Write-Verbose "No UserPrincipalName given"
	}
  }
}

You can also find the complete script here on my GitHub.

Wrapping up

Turning MFA on is really important when it comes to securing your environment. Security defaults are a great solution for smaller tenants, but it doesn’t work when you have system accounts for example. By using PowerShell and a scheduled task you can still automate the MFA in Office 365, keeping your accounts safe.

If you have any questions, just drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share