Script Repository

Back to List

Manage multi-factor authentication for a user in Microsoft 365

April 30, 2020
5271

The scripts can be used to enable or disable multi-factor authentication for a user in Microsoft 365 (Office 365). To execute the scripts, use the Run a program or PowerShell script action in a Custom Command, Business Rule or Scheduled Task.

The scripts can be used only in Adaxes 2018.2 and later.

For the scripts to work, you need to install Microsoft Azure Active Directory Module for Windows PowerShell on each computer where Adaxes service is running.

Script 1: Enable MFA

Edit Remove
PowerShell
Import-Module MsOnline

# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    $Context.LogMessage("The user %fullname% doesn't have an Microsoft 365 account.", "Warning")
    return
}

# Connect to Microsoft 365
Connect-MsolService -Credential $Context.GetOffice365Credential()

$authenticationRequirements = New-Object "Microsoft.Online.Administration.StrongAuthenticationRequirement"
$authenticationRequirements.RelyingParty = "*"
$authenticationRequirements.State = "Enabled"

# Set MFA state in Microsoft 365
Set-MsolUser -ObjectId $objectId -StrongAuthenticationRequirements $authenticationRequirements

Script 2: Disable MFA

Edit Remove
PowerShell
Import-Module MsOnline

# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    $Context.LogMessage("The user %fullname% doesn't have an Microsoft 365 account.", "Warning")
    return
}

# Connect to Microsoft 365
Connect-MsolService -Credential $Context.GetOffice365Credential()

# Set MFA state in Microsoft 365
Set-MsolUser -ObjectId $objectId -StrongAuthenticationRequirements @()

Script 3: Reset MFA

Edit Remove
PowerShell
# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    $Context.LogMessage("The user %fullname% doesn't have an Microsoft 365 account.", "Warning")
    return
}

# Connect to Microsoft 365
Connect-MsolService -Credential $Context.GetOffice365Credential()

# Reset MFA
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "%userPrincipalName%"
Microsoft 365 (Office 365)
Comments ( 4 )
avatar
Txaber
October 02, 2019

Hello,

How could we make a script to know the activation status of MFA and display it on the Adaxes screen?

Thanks.

Reply
avatar
Support
October 02, 2019

Hello,

Have a look at the following script from our repository: https://www.adaxes.com/script-repository/check-multi-factor-authentication-status-for-a-user-in-office-365-s556.htm.

Reply
avatar
Paul
November 12, 2019

When I put this script in my action, I get error -
"User Not Found. User: . Stack trace: at <ScriptBlock>, <No file>: line 22"
If I then run the script from the Admin Console, it applied, but not during the user creation sequence.
The sequence also assigns an Exchange licence, and that applies correctly.

Reply
avatar
Support
November 12, 2019

Hello Paul,

As we understand, you are using the Enable MFA script. It should be executed only for users that have an account in Office 365. If you want to use the script in a Business Rule triggering After creating a user, the action executing the script should follow the Activate an Office 365 account action.

 

Reply
avatar
Paul
November 15, 2019

Thanks. I actually had a put the script to sleep at the start for 15 seconds, script was trying to enable MFA quicker than it could sync the new O365 account with Azure.

Start-Sleep -s 15
Import-Module MsOnline

# Get Office 365 Object ID
...

Reply
Leave a comment

Related Scripts