Rest API to enable MFA

Question

Rest API to enable MFA

dev-4859 26

Hello,
I am working on C# project, I need to know is there any REST API to enable or disable MFA in O365?

1 answer

Your answer

Answer 1

Hi @VIJAYBABUS-4859 • Thank you for reaching out.

As of now, per-user MFA cannot be enabled via REST API and it has to be done by using Office/Azure Portal or using the Set-MSOLUser PowerShell Cmdlet.

However, you can use Graph API to create a Conditional Access Policy that requires users to perform MFA when All or Specified Cloud Apps are accessed. Below is an example of how you can create a Conditional Access policy using C# Graph SDK.

In the below example, members of the specified group need to perform MFA when they access Exchange Online using a Mobile/Desktop App or web browser from any location except the trusted locations.

GraphServiceClient graphClient = new GraphServiceClient( authProvider );  
  
var conditionalAccessPolicy = new ConditionalAccessPolicy  
{  
	DisplayName = "Access to EXO requires MFA",  
	State = ConditionalAccessPolicyState.Enabled,  
	Conditions = new ConditionalAccessConditionSet  
	{  
		ClientAppTypes = new List<ConditionalAccessClientApp>()  
		{  
			ConditionalAccessClientApp.MobileAppsAndDesktopClients,  
			ConditionalAccessClientApp.Browser  
		},  
		Applications = new ConditionalAccessApplications  
		{  
			IncludeApplications = new List<String>()  
			{  
				"00000002-0000-0ff1-ce00-000000000000"  
			}  
		},  
		Users = new ConditionalAccessUsers  
		{  
			IncludeGroups = new List<String>()  
			{  
				"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"  
			}  
		},  
		Locations = new ConditionalAccessLocations  
		{  
			IncludeLocations = new List<String>()  
			{  
				"All"  
			},  
			ExcludeLocations = new List<String>()  
			{  
				"AllTrusted"  
			}  
		}  
	},  
	GrantControls = new ConditionalAccessGrantControls  
	{  
		Operator = "OR",  
		BuiltInControls = new List<ConditionalAccessGrantControl>()  
		{  
			ConditionalAccessGrantControl.Mfa  
		}  
	}  
};  
  
await graphClient.Identity.ConditionalAccess.Policies  
	.Request()  
	.AddAsync(conditionalAccessPolicy);

Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

dev-4859 26 Reputation points

2022-06-07T09:38:42.91+00:00

@AmanpreetSingh-MSFT
Enabling like this ok but how to disable via api , is there any way.
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2022-06-07T11:22:55.99+00:00

@VIJAYBABUS-4859 • To disable MFA, all you need to do is remove the users from the group whose object ID you specify in the IncludeGroups List (Line No. 25 in the above snippet).

You can use Graph API to remove group members, as shown below:

GraphServiceClient graphClient = new GraphServiceClient( authProvider ); await graphClient.Groups["{group-id}"].Members["{directoryObject-id}"].Reference .Request() .DeleteAsync();

Read more about removing group member(s) here: Remove member
dev-4859 26 Reputation points

2022-06-07T11:40:27.897+00:00

@AmanpreetSingh-MSFT
It's not working , even after removing from the group the user is enabled with mfa.
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2022-06-07T16:10:08.99+00:00

@VIJAYBABUS-4859 • Kindly share the correlation ID and timestamp. For this purpose, do not respond to the MFA prompt and let it timeout. Once it times out, along with the error, you will get the correlation ID and timestamp. I will try to track the information to find why MFA is still being triggered for the user.
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2022-06-08T16:20:36.223+00:00

Hi @VIJAYBABUS-4859 • Any update on this?

Share via

Rest API to enable MFA

1 answer

Your answer