PowerShell and Graph API support for managing Multi-Factor Authentication
Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.
The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.
Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.
The new AzureAD and AzureADPreview PowerShell modules support connecting to Azure AD w/MFA-enabled accounts, but they do not expose any StrongAuthentication data for viewing or editing.
The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.
Please fix this, or provide an update as to when it will be fixed.
We’re really pleased to let you know that we’ve released the first authentication method APIs to public preview:
So far there are APIs for managing phone numbers and password resets. When phone numbers are set with the API, the user can use that number for MFA and SSPR (as allowed by your tenant’s policy).
The team is hard at work at building out APIs for all of the other authentication methods, and we’ll update the response here as they’re released.
Kory Olson commented
Since the MSOL module doesn't support passing a Username when using MFA to sign in, it is impossible to automate. A user has to put in their username in the popup. AzureAD v2 module supports username and can be automated but you can't use this module to get/set MFA settings on the user account. Now that the MSOnline module is deprecated. it is a must to get this into the v2 module to stay supported.
Brent Durksen commented
This is a must for automating new user creation with PowerShell
Olof Ottensten commented
Would also like to add that setting/getting StrongAuthentication from Graph is a feature that would be really useful
No updates since Mar 27 2018 from the product group. How long does it take you to review this?
The ability to pre-populate SSPR/MFA mobile/email is critical to using AD SSPR for initial password creation by end users. This is in fact unlocks a perhaps unconsidered side capability of Azure AD if Product team recognises the potential here.
The ability to pre-populate SSPR mobile/email is critical to using AD SSPR for initial password creation by end users. This is in fact unlocks a perhaps unconsidered side capability of Azure AD if Product team recognises the potential here.
Without this the module is useless to be honest.
Ross Currie commented
Am currently working with a client who is facing a similar situation to some of the others here - need to set the Authentication Email and Authentication Phone attributes using data that has to be hidden from other members of the organisation.
The fact that you can't pre-register these fields is somewhat mind-boggling, since MIM SSPR provided this capability out of the box.
Any updates? It would be great to edit MFA mobiles and emails via powershell!
Tim McLaughlin commented
Oh yes, please. We're looking to do this for all of our users going forward, and not being able to do so in automation will be... well, not doable.
I'd like to see some traction on this. We want to pre-populate the "StrongAuthenticationUserDetails" via powershell to alleviate the users to validate the phone number. We already have their phone number in local systems. We can edit these fields via Azure gui/portal, why can't the permissions be set so we can do the same via powershell?
Any update on when this feature (set StrongAuthenticationUserDetails) will be made available?
We too need this feature to roll out SSPR.
Jeff B commented
Having the ability to manage MFA via Graph API calls would be a big help. Any updates on availability?
Ivan Fioravanti commented
Any update? This is quite important. Thanks
Carmine Punella commented
Add support in Azure Active Directory PowerShell module to set Multi-Factor Authentication (MFA).
Any update about this request? One of our customer waiting roll-out but want to set mobile number on behalf of end users.
We are interested in this feature as we do not want users to be able to view other users mobile numbers which is currently the only way to bulk upload contacts from extended AD attributes to Azure.
Raj Pamamull commented
The "Set-MsolUser" command updates the "old" Azure MFA profiles (this MFA profile conflicts with any Azure Conditional Access MFA policies).
This new capability should work with the Azure Conditional Access MFA profiles.
Raj Pamamull commented
As part of this new development will SSPR registration get/set/read/delete abilities be developed?