PowerShell and Graph API support for managing Multi-Factor Authentication
Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.
The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.
Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.
The new AzureAD and AzureADPreview PowerShell modules support connecting to Azure AD w/MFA-enabled accounts, but they do not expose any StrongAuthentication data for viewing or editing.
The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.
Please fix this, or provide an update as to when it will be fixed.
The MFA team is currently working on adding get/set/read/delete abilities for StrongAuthentication data to the Graph API.
Nik Mehta commented
fully support - there is very high demand for this feature
any update? I don't mind using the MSOL module if there is a way to pass client credentials. At the moment, authentication has to be interactive.
Dan Smith commented
Hello Everyone (and Microsoft),
I was the one who originally posted this back in 2018...
We've since given up and have deployed Duo across our enterprise - https://www.duo.com
Duo has been extremely flexible, it is reasonably priced and has excellent support. I encourage everyone to ditch Microsoft Azure MFA and adopt a different product.
Mills, Jordan (US) commented
I like how they aren't even bothering to answer it.
Case was open 2 years ago... Still Waiting...
Justin Horne commented
What's worse is that even reading this data requires the now-deprecated MSOnline module.
For exmaple: Get-MsolUser -EnabledFilter EnabledOnly -All | Select UserPrincipalName, DisplayName, MobilePhone, AlternateEmailAddresses, AlternateMobilePhones -ExpandProperty StrongAuthenticationUserDetails
There is STILL no way to access StrongAuthenticationUserDetails via the newer AzureAD module via Get-AzureADuser.
Ron Houet commented
Come on Microsoft, please add this possibility asap. Provisioning Phone and Alternate e-mail can't be used: Every user can read this info, isn't allowed with GDPR (AVG in the Netherlands)
Andy Sutton commented
Its ridiculous that this has been under review for almost two years without any updates from the product team.
Tyler a Nadolski commented
Landon Roberts commented
Still waiting on an update
When when when?
Kalin Kutsarov commented
Any updates on this ?
So, Partners (CSP) must enforce MFA - but no MFA support for using the PS modules...??!
Left hand..meet, right hand. You work for the same org!
Any update on this?
Disappointing when msonline module keeps telling me its depreciated.
Surely its less work to maintain one module than two.
Get the missing functionality into AzureAD and only then can you retire msonline
any update on this? We want access to MFA to be more programmable.
Please add a way for us to update StrongAuthenticationUserDetails PhoneNumber via powershell. It will solve a LOT of problems for our university. Biggest one is upper administration doesn't want phone number showing up in Directory, so populating mobile phone is not an option. StrongAuthenticationUserDetails solves this problem. PLEASE ADD functionality soon! Thanks.
Ivan Fioravanti commented
Any news on this one?