How can we improve Azure Active Directory?

PowerShell and Graph API support for managing Multi-Factor Authentication

Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.

The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.

Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.

The new AzureAD and AzureADPreview PowerShell modules support connecting to Azure AD w/MFA-enabled accounts, but they do not expose any StrongAuthentication data for viewing or editing.

The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.

Please fix this, or provide an update as to when it will be fixed.

264 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

paul shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

31 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    Agree with comments below. Implementing StrongAuthentication management to the Graph API would be extremely useful. Thanks

  • Ricky D commented  ·   ·  Flag as inappropriate

    Any update on this request? Original response is over a year old. It would be super helpful to understand how we can use Graph API to get/set MFA details.
    Thanks

  • Olof Ottensten commented  ·   ·  Flag as inappropriate

    Would also like to add that setting/getting StrongAuthentication from Graph is a feature that would be really useful

  • Patriek commented  ·   ·  Flag as inappropriate

    No updates since Mar 27 2018 from the product group. How long does it take you to review this?

  • Sam commented  ·   ·  Flag as inappropriate

    The ability to pre-populate SSPR mobile/email is critical to using AD SSPR for initial password creation by end users. This is in fact unlocks a perhaps unconsidered side capability of Azure AD if Product team recognises the potential here.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Any updates? It would be great to edit MFA mobiles and emails via powershell!

  • Jeff B commented  ·   ·  Flag as inappropriate

    Having the ability to manage MFA via Graph API calls would be a big help. Any updates on availability?

  • Anonymous commented  ·   ·  Flag as inappropriate

    Any update about this request? One of our customer waiting roll-out but want to set mobile number on behalf of end users.

  • Raj Pamamull commented  ·   ·  Flag as inappropriate

    The "Set-MsolUser" command updates the "old" Azure MFA profiles (this MFA profile conflicts with any Azure Conditional Access MFA policies).

    This new capability should work with the Azure Conditional Access MFA profiles.

  • Raj Pamamull commented  ·   ·  Flag as inappropriate

    As part of this new development will SSPR registration get/set/read/delete abilities be developed?

  • Dan Smith commented  ·   ·  Flag as inappropriate

    Can the status for this request be changed from "UNDER REVIEW" to "STARTED"?

    The last official post (almost a year ago) stated that the MFA team was working on implementing this. This is an extremely important feature which will fill a large gap for us. Can we please get an official statement?

    Thank you.

  • Anonymous commented  ·   ·  Flag as inappropriate

    ...in conjunction with being able to delegate user MFA config changes to a role other than Global Administrator.

  • Dan Smith commented  ·   ·  Flag as inappropriate

    Okay, this is our 1st check-in for 2019 on this request. Does Microsoft have any information about when this feature will be ready for use?

  • Jeremy Brun commented  ·   ·  Flag as inappropriate

    Is there any further updates on this? The lack of support for retrieving MFA data in either the Graph API or the AzureAD PowerShell module is a big shortcoming. As Microsoft encourages us to use these newer endpoints for everything else it becomes difficult to support a mixed environment when we need to have access to the MFA data still. Also we are experiencing intermittent and anomalous failures when trying to use the deprecated MSOnline PowerShell module.

  • Dan Smith commented  ·   ·  Flag as inappropriate

    Hello, is there any update on this feature?
    This is a major gap in functionality which is critically needed.

  • Tim Williams commented  ·   ·  Flag as inappropriate

    Please inform your customers when this functionality will be available.... this functionality is crucial

← Previous 1

Feedback and Knowledge Base