We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Manage multi-factor authentication for a user in Microsoft 365

May 05, 2021 Views: 18896

The scripts can be used to enable or disable multi-factor authentication for a user in Microsoft 365 (Office 365). To execute the scripts, use the Run a program or PowerShell script action in a custom command, business rule or scheduled task. To connect to Microsoft 365, all the scripts use the credentials specified in the Run As section of the action settings.

For the scripts to work, you need to install Microsoft Azure Active Directory Module on each computer where Adaxes service is running.

Script 1: Enable MFA

Edit Remove
PowerShell
# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    $Context.LogMessage("The user %fullname% doesn't have a Microsoft 365 account.", "Warning")
    return
}

# Connect to Microsoft 365
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential

$authenticationRequirements = New-Object "Microsoft.Online.Administration.StrongAuthenticationRequirement"
$authenticationRequirements.RelyingParty = "*"
$authenticationRequirements.State = "Enabled"

# Set MFA state in Microsoft 365
Set-MsolUser -ObjectId $objectId -StrongAuthenticationRequirements $authenticationRequirements

Script 2: Disable MFA

Edit Remove
PowerShell
Import-Module MsOnline

# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    $Context.LogMessage("The user %fullname% doesn't have a Microsoft 365 account.", "Warning")
    return
}

# Connect to Microsoft 365
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential

# Set MFA state in Microsoft 365
Set-MsolUser -ObjectId $objectId -StrongAuthenticationRequirements @()

Script 3: Reset MFA

Edit Remove
PowerShell
# Connect to Microsoft 365
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential

# Reset MFA
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "%userPrincipalName%"
Comments 9
avatar
Txaber Oct 02, 2019
Hello,

How could we make a script to know the activation status of MFA and display it on the Adaxes screen?

Thanks.
avatar
Support Oct 02, 2019
avatar
Paul Nov 12, 2019
When I put this script in my action, I get error -
"User Not Found. User: . Stack trace: at <ScriptBlock>, <No file>: line 22"
If I then run the script from the Admin Console, it applied, but not during the user creation sequence.
The sequence also assigns an Exchange licence, and that applies correctly.
avatar
Support Nov 12, 2019

Hello Paul,

As we understand, you are using the Enable MFA script. It should be executed only for users that have an account in Office 365. If you want to use the script in a Business Rule triggering After creating a user, the action executing the script should follow the Activate an Office 365 account action.

 

avatar
Paul Nov 15, 2019
Thanks. I actually had a put the script to sleep at the start for 15 seconds, script was trying to enable MFA quicker than it could sync the new O365 account with Azure.

Start-Sleep -s 15
Import-Module MsOnline

# Get Office 365 Object ID
...
avatar
Matt Chapman Aug 06, 2020
Hi

MSOL has been deprecated and this will stop working when Microsoft remove basic authentication. Do you have a method which works with modern authentication?

Thanks
avatar
Support Aug 07, 2020

Hello Matt,

Basic authentication will be disabled only for Exchange Online. The scripts from this article will continue working. If you need to update your scripts for Exchange Online, please, take a look at the Exchange Online using EXO V2 module script on the following page in our repository: https://www.adaxes.com/script-repository/connect-to-exchange-with-powershell-s506.htm#exchange_online_using_exo_v2_module.

avatar
Jeff Roncone Jan 27, 2023
I am getting a strange error on this enable MFA script. We ahve not changed anything and the script is running as the adaxes service account. I am getting the below execution log error. Any help would be appreciated

Line 17 = $password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password


Cannot bind argument to parameter 'String' because it is null. Stack trace: at <ScriptBlock>, <No file>: line 17
Exception calling ".ctor" with "2" argument(s): "Cannot process argument because the value of argument "userName" is not valid. Change the value of the "userName" argument and run the operation again." Stack trace: at <ScriptBlock>, <No file>: line 18
Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application. Stack trace: at <ScriptBlock>, <No file>: line 19
You must call the Connect-MsolService cmdlet before calling any other cmdlets. Stack trace: at <ScriptBlock>, <No file>: line 26
avatar
Support Jan 30, 2023
Hello Jeff,

The scripts use the credentials of the user account specified in the Run as section (This account option) of the Run a program of PowerShell script action. The error occurs because no credentials were specified. Make sure to enter the credentials of a user that has corresponding permissions in Microsoft 365.
Leave a comment
Loading...

Got questions?

Support Questions & Answers