Ed McKinzie

My feedback

  1. 1,286 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    An error occurred while saving the comment
    Ed McKinzie commented  · 

    We opened a case on this and we received the following instructions that allow non-Global Admin accounts to disable\enable MFA using PowerShell as long as they are members of the Authentication and Privilege Authention RBAC roles.

    From the MS Engineer:
    "I could not find the required permissions documented and, apparently, Graph API does not support MFA configuration. However, while doing some tests, I came to the conclusion that the Authentication Admin and the Privilege Authentication Admin can enable/disable MFA via PowerShell. Please check the available documentation to enable/disable MFA using PowerShell and the MSOnline module:

    Connect-MsolService

    #Enable MFA for specific user
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)

    Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements $sta

    #Disable MFA for specific user
    Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements @()

    "

    Hope this helps others that had similar issues. There are requests in to the product group to get this feature allowed in the Azure WEB UI.

Feedback and Knowledge Base