Set-AdfsAzureMfaTenant
Enables an AD FS farm to use MFA.
Syntax
Set-AdfsAzureMfaTenant
-TenantId <String>
-ClientId <String>
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
The Set-AdfsAzureMfaTenant cmdlet enables an Active Directory Federation Services (AD FS) farm to use Azure Multi-Factor Authentication (MFA) after a certificate has been created and registered in the Microsoft Entra tenant.
Examples
Example 1: Enable Azure MFA
PS C:\> $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID>
PS C:\> New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
PS C:\> Set-AdfsAzureMfaTenant -TenantId <your tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720This command creates a certificate for Azure MFA, registers it in the tenant, and enables Azure MFA on the AD FS farm.
Example 2: Determine which certificate Azure MFA is using
$CertInBase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID>
[Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($CertInBase64))After AD FS has been configured for Azure MFA, this command determines which certificate Azure MFA is using and when it expires.
Parameters
-ClientId
Specifies the well-known ID of the Azure MFA application in Microsoft Entra ID.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TenantId
Specifies the GUID representation of a Microsoft Entra tenant ID. This can be found in the URL bar of the Microsoft Entra admin center, as in this example:
https://manage.windowsazure.com/contoso.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/\<tenantID_GUID\>/directoryQuickStart
You can also use the Login-AzureRmAccount cmdlet that is part of the Azure PowerShell module to get the tenant ID.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |