Deploy MFA post Azure AD deployment not working for some users.

Gurudas 886 Reputation points
2022-05-20T07:08:08.527+00:00

Hello Team,

Please let me know how to verify that the Azure AD user is MFA provision is done via GUI or Powershell command. Also let me know, if it's not provisioned so far how can we do it post Azure AD deployment.

Scenario: We do have 10 users out of 100 users in Contoso.com who's MFA is not working post MFA deployment. Please suggest steps to re-provision MFA for those 10 users.

Your quick support will be highly appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,365 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 16,961 Reputation points MVP
    2022-05-20T07:17:11.507+00:00

    You may refer the below doc to find the per-user MFA status from Azure Portal
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#view-the-status-for-a-user
    Also, note the following points

    All users start out Disabled. When you enroll users in per-user Azure AD Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.

    If per-user MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. The administrator must move the user directly to Enforced.

    ----------

    --please don't forget to upvote and Accept as answer if the reply is helpful--

  2. AmanpreetSingh-MSFT 56,301 Reputation points
    2022-05-20T07:29:41.93+00:00

    Hi @Gurudas • Thank you for reaching out.

    As PowerShell and GUI both update the same attributes, it is not possible to distinguish whether MFA registration on a user account was done via Powershell or GUI.

    You can use the below PowerShell command to get a list of users with MFA Enabled/Disabled: 

     Connect-MsolService  
 Get-MsolUser -All | select DisplayName,BlockCredential,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

    If MFA is enabled and still not working, you can use the below options:

    • Navigate to Azure AD > Users > Click on the user account that you want to re-provision MFA for > Authentication methods > Require re-register MFA.
      204031-image.png
    • Run the below PowerShell cmdlets: 
       Connect-MsolService
      Set-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com -StrongAuthenticationMethods @()

    Below is the list of services/settings that can be used to require MFA Registration for a user:

    1. Conditional Access Policy (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa)
    2. Azure AD Identity Protection (https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy)
    3. Security Defaults (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)
    4. Per-user MFA (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates)

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.