Pre-Provisioning Microsoft Azure Multi-Factor Authentication for Users

If you enable or enforce Azure Multi-Factor Authentication for your users, you will most likely have seen the wizard that user goes through in order to properly provision Multi-Factor Authentication for their account.

As an administrator, you might want to ease this process to the end-user and pre-provision Multi-Factor Authentication in Microsoft Azure Active Directory.

First, make sure that the users Mobile Phone Number is properly set in Microsoft Azure Active Directory. (If you are using the Directory Synchronization Tool (DirSync) or the Windows Azure Active Directory Connector for FIM 2010 R2, the user's mobile phone number will by synchronized from Active Directory automatically.)

If that's set, you can enable and configure Multi-Factor Authentication by using PowerShell:

 $upn = ""

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enforced"

$sta = @($st)

$sm1 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm1.IsDefault = $true
$sm1.MethodType = "OneWaySMS"

$sm2 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm2.IsDefault = $false
$sm2.MethodType = "TwoWayVoiceMobile"

$sm = @($sm1, $sm2)

Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements $sta -StrongAuthenticationMethods $sm

By using this script, Multi-Factor Authentication for the user will be enabled for all applications in Azure Active Directory (this is the $st variable in the code). After we enable MFA, we need to provide Azure with the methods we want to use for MFA. In this case, we enable two methods; the PIN Text Message (OneWaySMS) and the voice call (TwoWayVoiceMobile). The default authentication method is OneWaySMS. These two methods are held in the $sm variable.

Last, we update the user using the Set-MsolUser command.