Hello,
Below a script that can help you achieve what you want. It can be improved for example to search only a specific OU if your Azure AD Connect is only synchronizing specific OUs :
function Set-MfaState {
[CmdletBinding()]
param(
[Parameter(ValueFromPipelineByPropertyName=$True)]
$ObjectId,
[Parameter(ValueFromPipelineByPropertyName=$True)]
$UserPrincipalName,
[ValidateSet("Disabled", "Enabled", "Enforced")]
$State
)
Process {
Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
$Requirements = @()
if($State -ne "Disabled") {
$Requirement = [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
$Requirement.RelyingParty = "*"
$Requirement.State = $State
$Requirements += $Requirement
}
Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName -StrongAuthenticationRequirements $Requirements
}
}
$ADUsers = Get-ADUser -Filter * -Properties WhenCreated | Where-Object {$_.WhenCreated -gt ([DateTime]::Today)}
if ($ADUsers -ne $null) {
Connect-MsolService
foreach($ADUser in $ADUsers) {
$AzureADUser = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName
if($AzureADUser -ne $null) {
Set-MfaState -ObjectId $AzureADUser.ObjectId -UserPrincipalName $AzureADUser.UserPrincipalName -State Enabled
}
}
}
You will need the MSOnline module and the Active Directory Module
Regards,