This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Dear Experts,
I was looking for a PowerShell script where we can run to enforce those users who were created in recent hours, maybe within 24 hours?
We don't want to enforce MFA for all exiting users but it needs to be applied to the new users who are coming.
We are using AAD free version, hybrid env where users were synchronized from our on-premises AD.
My idea was to use Task Scheduler to run this powershell script so everyday it helps to enforce MFA for those users that were created within this day.
Any advice would be really appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 79%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello,
Below a script that can help you achieve what you want. It can be improved for example to search only a specific OU if your Azure AD Connect is only synchronizing specific OUs :
function Set-MfaState {
[CmdletBinding()]
param(
[Parameter(ValueFromPipelineByPropertyName=$True)]
$ObjectId,
[Parameter(ValueFromPipelineByPropertyName=$True)]
$UserPrincipalName,
[ValidateSet("Disabled", "Enabled", "Enforced")]
$State
)
Process {
Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
$Requirements = @()
if($State -ne "Disabled") {
$Requirement = [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
$Requirement.RelyingParty = "*"
$Requirement.State = $State
$Requirements += $Requirement
}
Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName -StrongAuthenticationRequirements $Requirements
}
}
$ADUsers = Get-ADUser -Filter * -Properties WhenCreated | Where-Object {$_.WhenCreated -gt ([DateTime]::Today)}
if ($ADUsers -ne $null) {
Connect-MsolService
foreach($ADUser in $ADUsers) {
$AzureADUser = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName
if($AzureADUser -ne $null) {
Set-MfaState -ObjectId $AzureADUser.ObjectId -UserPrincipalName $AzureADUser.UserPrincipalName -State Enabled
}
}
}
You will need the MSOnline module and the Active Directory Module
Regards,
Dear @Clément BETACORNE ,
Thanks so much for sharing the script which works just perfect! I do find a minor issue that every time I tried to run this script, a window popped up asking me to input the credentials for using Connect-MsolService. Any idea we can skip this part or keep the credentials somewhere so it won't stop at this step?
Since I'm thinking about using Task Scheduler to run this script, this kind of window will stop it from running.
Thanks again.
Hello,
You can add at line 26 these lines :
$password = ConvertTo-SecureString 'MySecretPassword' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ('xxx@contoso.com', $password)
You can add this parameter to Connect-MsolService -Credential $credential
Regards,
Dear @Clément BETACORNE ,
Thanks for your help! To my understanding, so this password will be saved as plain text in the script, right?
Yep, I'm trying to find another way by using service principals
Hello @Eaven HUANG ,
After some check you won't be able to use service principal with the Connect-MsolService but you can encrypt the credential in order to secure a little your script.
Below some article regarding this subject :
https://www.altaro.com/msp-dojo/encrypt-password-powershell/
You will have to store the encrypted form in a file and use this file in your script
(get-credential).password | ConvertFrom-SecureString | set-content "C:\Passwords\password.txt"
You don't have to put what is above in your script
Below what you will need to add :
$password = Get-Content "C:\Passwords\password.txt" | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential("xxx@contoso.com",$password)
It looks like Set-MsolUser command will stop working on 31st March 2023
https://practical365.com/azure-ad-license-management-extension/
And things to be even more difficult there is no replacement command to set MFA status to enforced for new accounts using MS Graph module
authenticationmethods-overview
*****NOTE: This feature is replaced by the individual authentication method APIs listed above. These can be used to delete a user's existing registered authentication methods; once the user has no more methods, they'll be prompted to register the next time they sign in where strong authentication is required (the user can also register at any time using MySecurityInfo). This can be done using the Azure AD admin UX, the Microsoft Graph APIs, and the Microsoft Graph Powershell SDK.
The legacy version of this feature is currently supported only through the MSOLSet-MsolUser cmdlet, using the StrongAuthenticationMethods property.*****
It will work as reset MFA when you delete all authentication methods, but only if the account had previously set MFA status to enforced, wich will not be possible to set this after 31st March 2023, at least not possible using powershell. You will initially need to do this manually using GUI using the link bellow
multifactorverification.aspx