PowerShell and Graph API support for managing Multi-Factor Authentication
Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.
The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.
Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.
The new AzureAD and AzureADPreview PowerShell modules support connecting to Azure AD w/MFA-enabled accounts, but they do not expose any StrongAuthentication data for viewing or editing.
The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.
Please fix this, or provide an update as to when it will be fixed.
We’re really pleased to let you know that we’ve released the first authentication method APIs to public preview:
So far there are APIs for managing phone numbers and password resets. When phone numbers are set with the API, the user can use that number for MFA and SSPR (as allowed by your tenant’s policy).
The team is hard at work at building out APIs for all of the other authentication methods, and we’ll update the response here as they’re released.
Niklas Jumlin commented
Here's my solution, using delegated permissions with a ROPC-flow
Hobbs, Adam F commented
I have successfully managed to get this to work for our tenant. However as Application permissions are not supported and only Delegated the only way to do this without interaction is with an ROPC flow. Which is not recommended by MS.
Will application permissions be supported in the future?
Brandon Richards commented
I'm guessing this is only for AAD proper and AAD B2C has been left in the dust again, right?
Tony French commented
When will it be possible to list users with MFA Enabled /Enforced/Disabled with this Graph API
I can list every other setting around MFA with this API but not if its actually enabled or disabled for a particular user.
Samuel Mitchell commented
Finally. I can confirm that this works in my tenants. A post to /authentication/phoneMethods/ with supplied phone number will create a phoneid and essentially proofup the user for MFA/SSPR/Combined Reg without them having to do anything. This will save a lot of companies a lot of user pain when migrating away from on-premise MFA server.
Andreas Dengg commented
I just wanted to try the new API call, but I can't find the required permissions (for e.g. Get passwordAuthenticationMethod)
Is it already active on all tenants?
We are currently using on prem mfa server because this lets us use fully automated workflows for syncing MFA details for the user. E.g. when a new employee is hired the phone number for the OTP is automatically set and MFA works right out of the box. Same for changed phone number details. Switching to Azure MFA would be a step back as the user would have to register their MFA details manually. This is not modern at all. Please make the MFA attributes readable and writable programatically.
Jack Gross commented
While the world is on lockdown and all the developers are looking for something to do - how about fixing this.
The fact that there are multiple PS commandlets that are needed to administer a Azure AD/Office 365 User i.e. *-msoluser, *-azaduser ... is beyond my understanding.
How about getting this fixed!!
Absolutely astounded this hasn't yet been included.
Need help to update Logout screen customization
This should not have been merged with "Provision strong authentication details with Powershell." It is not the same request.
Ron Houet commented
With what wisdom has Microsoft merged a 4 year old idea with this one?
Of cause it's also a feasible feature to have MFA with Powershell.
But that was not the original idea: Provision strong authentication details with Powershell.
MSOnline module has the possibility to read them, you can set them per user in the GUI, but we want to provision StrongAuthenticationdetails with Powershell for thousands of users!
And setting mobile phones for SSPR is not an option with GDPR, this field is visible for every other user.
Make it able to write stongauthentication details with Powershell asap, please!!
Nik Mehta commented
fully support - there is very high demand for this feature
any update? I don't mind using the MSOL module if there is a way to pass client credentials. At the moment, authentication has to be interactive.
Dan Smith commented
Hello Everyone (and Microsoft),
I was the one who originally posted this back in 2018...
We've since given up and have deployed Duo across our enterprise - https://www.duo.com
Duo has been extremely flexible, it is reasonably priced and has excellent support. I encourage everyone to ditch Microsoft Azure MFA and adopt a different product.
Mills, Jordan (US) commented
Four years later... lol.
Mills, Jordan (US) commented
I like how they aren't even bothering to answer it.
Case was open 2 years ago... Still Waiting...
Justin Horne commented
What's worse is that even reading this data requires the now-deprecated MSOnline module.
For exmaple: Get-MsolUser -EnabledFilter EnabledOnly -All | Select UserPrincipalName, DisplayName, MobilePhone, AlternateEmailAddresses, AlternateMobilePhones -ExpandProperty StrongAuthenticationUserDetails
There is STILL no way to access StrongAuthenticationUserDetails via the newer AzureAD module via Get-AzureADuser.