question

GurudasSatardekar avatar image
0 Votes"
GurudasSatardekar asked amanpreetsingh-msft commented

Deploy MFA post Azure AD deployment not working for some users.

Hello Team,

Please let me know how to verify that the Azure AD user is MFA provision is done via GUI or Powershell command. Also let me know, if it's not provisioned so far how can we do it post Azure AD deployment.

Scenario: We do have 10 users out of 100 users in Contoso.com who's MFA is not working post MFA deployment. Please suggest steps to re-provision MFA for those 10 users.

Your quick support will be highly appreciated.

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ManuPhilip avatar image
0 Votes"
ManuPhilip answered ManuPhilip commented

You may refer the below doc to find the per-user MFA status from Azure Portal
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#view-the-status-for-a-user
Also, note the following points

All users start out Disabled. When you enroll users in per-user Azure AD Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.

If per-user MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. The administrator must move the user directly to Enforced.


--please don't forget to upvote and Accept as answer if the reply is helpful--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

have you got a chance to verify the solution provided ? If helpful, please don't forget to upvote and Accept as answer

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @Gurudas • Thank you for reaching out.

As PowerShell and GUI both update the same attributes, it is not possible to distinguish whether MFA registration on a user account was done via Powershell or GUI.

You can use the below PowerShell command to get a list of users with MFA Enabled/Disabled:

  Connect-MsolService
  Get-MsolUser -All | select DisplayName,BlockCredential,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

If MFA is enabled and still not working, you can use the below options:

  • Navigate to Azure AD > Users > Click on the user account that you want to re-provision MFA for > Authentication methods > Require re-register MFA.
    204031-image.png


  • Run the below PowerShell cmdlets:

       Connect-MsolService
       Set-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com -StrongAuthenticationMethods @()
    

Below is the list of services/settings that can be used to require MFA Registration for a user:

  1. Conditional Access Policy (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa)

  2. Azure AD Identity Protection (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy)

  3. Security Defaults (https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)

  4. Per-user MFA (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates)


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (27.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Gurudas • Just checking if you have any further questions.

0 Votes 0 ·