PowerShell and Graph API support for managing Multi-Factor Authentication
Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.
The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.
Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.
The new AzureAD and AzureADPreview PowerShell modules support connecting to Azure AD w/MFA-enabled accounts, but they do not expose any StrongAuthentication data for viewing or editing.
The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.
Please fix this, or provide an update as to when it will be fixed.
The MFA team is currently working on adding get/set/read/delete abilities for StrongAuthentication data to the Graph API.
Agree with comments below. Implementing StrongAuthentication management to the Graph API would be extremely useful. Thanks
Ricky D commented
Any update on this request? Original response is over a year old. It would be super helpful to understand how we can use Graph API to get/set MFA details.
Olof Ottensten commented
Would also like to add that setting/getting StrongAuthentication from Graph is a feature that would be really useful
No updates since Mar 27 2018 from the product group. How long does it take you to review this?
The ability to pre-populate SSPR mobile/email is critical to using AD SSPR for initial password creation by end users. This is in fact unlocks a perhaps unconsidered side capability of Azure AD if Product team recognises the potential here.
Any updates? It would be great to edit MFA mobiles and emails via powershell!
Jeff B commented
Having the ability to manage MFA via Graph API calls would be a big help. Any updates on availability?
Ivan CoreView commented
Any update? This is quite important. Thanks
Any update about this request? One of our customer waiting roll-out but want to set mobile number on behalf of end users.
Raj Pamamull commented
The "Set-MsolUser" command updates the "old" Azure MFA profiles (this MFA profile conflicts with any Azure Conditional Access MFA policies).
This new capability should work with the Azure Conditional Access MFA profiles.
Raj Pamamull commented
As part of this new development will SSPR registration get/set/read/delete abilities be developed?
Can the status for this request be changed from "UNDER REVIEW" to "STARTED"?
The last official post (almost a year ago) stated that the MFA team was working on implementing this. This is an extremely important feature which will fill a large gap for us. Can we please get an official statement?
...in conjunction with being able to delegate user MFA config changes to a role other than Global Administrator.
Okay, this is our 1st check-in for 2019 on this request. Does Microsoft have any information about when this feature will be ready for use?
Jeremy Brun commented
Is there any further updates on this? The lack of support for retrieving MFA data in either the Graph API or the AzureAD PowerShell module is a big shortcoming. As Microsoft encourages us to use these newer endpoints for everything else it becomes difficult to support a mixed environment when we need to have access to the MFA data still. Also we are experiencing intermittent and anomalous failures when trying to use the deprecated MSOnline PowerShell module.
Hello, is there any update on this feature?
This is a major gap in functionality which is critically needed.
Prasanna B J commented
Is there any progress on this feature. Azure AD Team, kindly share timeline for this.
Really need this feature
Andrew Cameron commented
Very much needed, please prioritize
Tim Williams commented
Please inform your customers when this functionality will be available.... this functionality is crucial