Security Focus: Enable / Disable MFA on Azure AD Admin Account


Last week I presented a little function that I use to reset my Azure AD admin account passwords.

This week I want to show how to enable / disable Multi Factor Authentication on an Azure AD account.
 
Enable


$St = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$St.RelyingParty = "*"
$Sta = @($St)
Set-MsolUser -UserPrincipalName ifarr@contoso.com -StrongAuthenticationRequirements $Sta 

 

Disable


$Sta = @()
Set-MsolUser -UserPrincipalName ifarr@contoso.com -StrongAuthenticationRequirements $Sta 

 

Comments (3)

  1. turbomcp says:

    Great stuff
    Thanks

  2. JosephK says:

    Exactly what i was looking for, How to Disable MFA for O365 User via Powershell.

  3. Paul Mooij says:

    Hi Ian,

    Enforcing MFA still requires the user to provide the additional security verification details themself…
    Preferably, I would pre-populate that fields with the known Email and Mobile Phone number.
    I’ve been able to setup these details in a local object (see snippet below), but how do I update the user with this?!?

    Thanks for your reply!

    # Set MFA User Details?
    $sad = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationUserDetails
    $sad.PhoneNumber = $user.MobilePhone
    $sad.Email = $user.AlternateEmailAddresses
    $sad
    # -> How to SET the MFA properties to the User?!? Set-MsolUser has no parameter to do so…

Skip to main content