Pre-Provisioning Microsoft Azure Multi-Factor Authentication for Users

If you enable or enforce Azure Multi-Factor Authentication for your users, you will most likely have seen the wizard that user goes through in order to properly provision Multi-Factor Authentication for their account.

As an administrator, you might want to ease this process to the end-user and pre-provision Multi-Factor Authentication in Microsoft Azure Active Directory.

First, make sure that the users Mobile Phone Number is properly set in Microsoft Azure Active Directory. (If you are using the Directory Synchronization Tool (DirSync) or the Windows Azure Active Directory Connector for FIM 2010 R2, the user's mobile phone number will by synchronized from Active Directory automatically.)

If that's set, you can enable and configure Multi-Factor Authentication by using PowerShell:

$upn = ""

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enforced"

$sta = @($st)

$sm1 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm1.IsDefault = $true
$sm1.MethodType = "OneWaySMS"

$sm2 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm2.IsDefault = $false
$sm2.MethodType = "TwoWayVoiceMobile"

$sm = @($sm1, $sm2)

Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements $sta -StrongAuthenticationMethods $sm

By using this script, Multi-Factor Authentication for the user will be enabled for all applications in Azure Active Directory (this is the $st variable in the code). After we enable MFA, we need to provide Azure with the methods we want to use for MFA. In this case, we enable two methods; the PIN Text Message (OneWaySMS) and the voice call (TwoWayVoiceMobile). The default authentication method is OneWaySMS. These two methods are held in the $sm variable.

Last, we update the user using the Set-MsolUser command.

Comments (3)
  1. Adam Reid says:

    Hi I’ve been looking for a way to report all users that have been imported in AAD, but DO NOT have MFA enabled or enforced.
    In the MFA portal these show as disabled however there is no way I can work out to return a list of users who are not enabled/enforced for MFA.

    The reason behind this would be to run a powershell task daily to enable any non MFA enabled/enforced users to be enabled.

    1. You can use the Get-MsolUser commandlet, and check the StrongAuthenticationMethods. If you expand that property, you will see the enabled options. If all are false, the user does not have MFA enabled.

  2. pgarm says:

    Hi Tino,
    I hope you don’t mind if I hijack the discussion a bit. Is there any way to enforce use of phone from mobile field for MFA?
    In the setup you suggest in this post, users have to authenticate once using OneWaySMS with preconfigured number, but later can change it to whatever they want. I’ve been able to construct proper details object, just couldn’t find a way to write it to user.

    $saud = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationUserDetails
    $saud.PhoneNumber = “+18005551234”
    $saud.Email = “”
    $saud.AlternativePhoneNumber = “+18005555555”

    I’ve got a customer who sees this as a potential security issue, not being able to control where the sms goes.

Comments are closed.

Skip to main content