The scripts can be used to enable or disable multi-factor authentication for a user in Microsoft 365 (Office 365). To execute the scripts, use the Run a program or PowerShell script action in a custom command, business rule or scheduled task. To connect to Microsoft 365, all the scripts use the credentials specified in the Run As section of the action settings.
For the scripts to work, you need to install Microsoft Azure Active Directory Module on each computer where Adaxes service is running.
Script 1: Enable MFA
PowerShell
# Get Microsoft 365 Object ID
try
{
$objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
$Context.LogMessage("The user %fullname% doesn't have a Microsoft 365 account.", "Warning")
return
}
# Connect to Microsoft 365
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential
$authenticationRequirements = New-Object "Microsoft.Online.Administration.StrongAuthenticationRequirement"
$authenticationRequirements.RelyingParty = "*"
$authenticationRequirements.State = "Enabled"
# Set MFA state in Microsoft 365
Set-MsolUser -ObjectId $objectId -StrongAuthenticationRequirements $authenticationRequirementsScript 2: Disable MFA
PowerShell
Import-Module MsOnline
# Get Microsoft 365 Object ID
try
{
$objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
$Context.LogMessage("The user %fullname% doesn't have a Microsoft 365 account.", "Warning")
return
}
# Connect to Microsoft 365
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential
# Set MFA state in Microsoft 365
Set-MsolUser -ObjectId $objectId -StrongAuthenticationRequirements @()Script 3: Reset MFA
PowerShell
# Connect to Microsoft 365
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential
# Reset MFA
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "%userPrincipalName%"
How could we make a script to know the activation status of MFA and display it on the Adaxes screen?
Thanks.
Hello,
Have a look at the following script from our repository: https://www.adaxes.com/script-repository/check-multi-factor-authentication-status-for-a-user-in-office-365-s556.htm.
"User Not Found. User: . Stack trace: at <ScriptBlock>, <No file>: line 22"
If I then run the script from the Admin Console, it applied, but not during the user creation sequence.
The sequence also assigns an Exchange licence, and that applies correctly.
Hello Paul,
As we understand, you are using the Enable MFA script. It should be executed only for users that have an account in Office 365. If you want to use the script in a Business Rule triggering After creating a user, the action executing the script should follow the Activate an Office 365 account action.
Start-Sleep -s 15
Import-Module MsOnline
# Get Office 365 Object ID
...
MSOL has been deprecated and this will stop working when Microsoft remove basic authentication. Do you have a method which works with modern authentication?
Thanks
Hello Matt,
Basic authentication will be disabled only for Exchange Online. The scripts from this article will continue working. If you need to update your scripts for Exchange Online, please, take a look at the Exchange Online using EXO V2 module script on the following page in our repository: https://www.adaxes.com/script-repository/connect-to-exchange-with-powershell-s506.htm#exchange_online_using_exo_v2_module.