PowerShell and Graph API support for managing Multi-Factor Authentication
Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.
The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.
Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.
The new AzureAD and AzureADPreview PowerShell modules support connecting to Azure AD w/MFA-enabled accounts, but they do not expose any StrongAuthentication data for viewing or editing.
The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.
Please fix this, or provide an update as to when it will be fixed.
The MFA team is currently working on adding get/set/read/delete abilities for StrongAuthentication data to the Graph API.
Cédric Blomart commented
Any news on accessing mfa informations ?
Azharuddin, Sheikh commented
The inability to bulk enrol StrongAuthentication data into Azure AD MFA is driving us to look at other vendor solutions for device management.
Please come up with a solution! I'd rather simplify the tech landscape and reduce the number of vendors we deal with, but this capability gap is causing us to look elsewhere
Why is this taking to so long to release, this is a huge missing piece.
We really need an api to check this
Jeff B commented
I see some significant updates in the Azure Portal for managing MFA information. Hopefully the Graph API capability is coming soon. Any updates?
whyyyy are we waaaaaiting
"local account is based on a user name, then the email address is stored in a strong authentication detail property."
How I can store email address in strong authentication detail property while creating local user account through Graph API?. So I can get the email verification code.
Agree with comments below. Implementing StrongAuthentication management to the Graph API would be extremely useful. Thanks
Ricky D commented
Any update on this request? Original response is over a year old. It would be super helpful to understand how we can use Graph API to get/set MFA details.
Olof Ottensten commented
Would also like to add that setting/getting StrongAuthentication from Graph is a feature that would be really useful
No updates since Mar 27 2018 from the product group. How long does it take you to review this?
The ability to pre-populate SSPR mobile/email is critical to using AD SSPR for initial password creation by end users. This is in fact unlocks a perhaps unconsidered side capability of Azure AD if Product team recognises the potential here.
Any updates? It would be great to edit MFA mobiles and emails via powershell!
Jeff B commented
Having the ability to manage MFA via Graph API calls would be a big help. Any updates on availability?
Ivan Fioravanti commented
Any update? This is quite important. Thanks
Any update about this request? One of our customer waiting roll-out but want to set mobile number on behalf of end users.
Raj Pamamull commented
The "Set-MsolUser" command updates the "old" Azure MFA profiles (this MFA profile conflicts with any Azure Conditional Access MFA policies).
This new capability should work with the Azure Conditional Access MFA profiles.
Raj Pamamull commented
As part of this new development will SSPR registration get/set/read/delete abilities be developed?
Dan Smith commented
Can the status for this request be changed from "UNDER REVIEW" to "STARTED"?
The last official post (almost a year ago) stated that the MFA team was working on implementing this. This is an extremely important feature which will fill a large gap for us. Can we please get an official statement?