PowerShell and Graph API support for managing Multi-Factor Authentication
Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.
The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.
Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.
The new AzureAD and AzureADPreview PowerShell modules support connecting to Azure AD w/MFA-enabled accounts, but they do not expose any StrongAuthentication data for viewing or editing.
The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.
Please fix this, or provide an update as to when it will be fixed.
We’re really pleased to let you know that we’ve released the first authentication method APIs to public preview:
So far there are APIs for managing phone numbers and password resets. When phone numbers are set with the API, the user can use that number for MFA and SSPR (as allowed by your tenant’s policy).
The team is hard at work at building out APIs for all of the other authentication methods, and we’ll update the response here as they’re released.
Any ETA on this feature? I can create the object in Powershell but I'm unable write/apply it to the Azure user.
Because of GPDR we have users' phonenumbers in AD ia an extendedAttribute. We would like to sync these numbers to the authenticationPhone attribute but tat can not be done. This is something we need to start using SSPR.
Can the status for this request be changed from "UNDER REVIEW" to "STARTED"?
The last official post (almost a year ago) stated that the MFA team was working on implementing this. This is an extremely important feature which will fill a large gap for us. Can we please get an official statement?
...in conjunction with being able to delegate user MFA config changes to a role other than Global Administrator.
Okay, this is our 1st check-in for 2019 on this request. Does Microsoft have any information about when this feature will be ready for use?
This is something we need in order to start using SSPR. We have the users' phone numbers in AD in a hidden attribute (because some numbers may not be shown to other users). We would like to sync these numbers to the authenticationPhone attribute, but as that cannot be done we will need to deploy an alternative product for SSPR that has this capability.
just hit this issue too, we need to set PhoneNumber in StrongAuthenticationUserDetails to automate MFA deployment in our scenario, mobile phone and office phone may not be always the correct choice
jyoti prasad commented
please make this feature available soon as there are many users requesting to update the contact details for a batch of users .
Patiently waiting for this
This is a feature that will significantly improve our adoption of MFA. Please expose a way to do this ASAP. We are waiting very patiently...
Jeremy Brun commented
Is there any further updates on this? The lack of support for retrieving MFA data in either the Graph API or the AzureAD PowerShell module is a big shortcoming. As Microsoft encourages us to use these newer endpoints for everything else it becomes difficult to support a mixed environment when we need to have access to the MFA data still. Also we are experiencing intermittent and anomalous failures when trying to use the deprecated MSOnline PowerShell module.
Cha Yang commented
I strongly support this for our company.
Chris Zenzano commented
From a helpdesk perspective, We really require the ability to modify the Authentication phone # or set and enable Alternate authentication phone in the event a customer has lost or having issue with their mobile device.
We have over 200 000 users in our tenant, we need to clear all "StrongAuthenticationUserDetails"
Hello, is there any update on this feature?
This is a major gap in functionality which is critically needed.
Prasanna B J commented
Is there any progress on this feature. Azure AD Team, kindly share timeline for this.
Patrik Lundberg commented
Current onboarding mechanism in O365/Azurd AD requires that the users onboard themselves. They can choose MFA-method and telephone number themselves.
We strongly suggest a new method of automate onboarding for end users. We would like to map telephone number from the organization AD and choose one of the MFA methods as preferred. We also would like to have a option to turn on/off the possibility for end users to change their MFA-profile (MFA method and telephone number).
The benefit for all customers will be that the CA/MFA solution will be more secure since no onboarding for users can be done outside of the organization. It is no longer needed to onboard users manually and it is not possible to change users MFA-profile without having access to the correct telephone number (if allowed at all).
Please vote for this. It will increase the security of MFA a lot and rise the possibility to use sensitive information I Office 365.
We need powershell/ ADSYNC engine to populate info directly into this attributes StrongAuthenticationUserD
We really require the ability to modify the phone number under authentication contact information for On-Premises Synced user in a bulk fashion, not just via GUI. Cant believe this has been released without these capabilities
Really need this feature
Andrew Cameron commented
Very much needed, please prioritize