30 October 2018

Enable Office365 MFA per user or all users - Search for users with MFA disabled

Enabling all users for MFA is relatively easy with PowerShell, and how to's are found all over the web.
But enabling MFA for one user is a bit more difficult.
Here's how to do it:

Enable MFA per user
#Create the StrongAuthenticationRequirement object and insert required settings
$mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mf.RelyingParty = "*"
$mfa = @($mf)
#Enable MFA for a user
Set-MsolUser -UserPrincipalName userprinciplename@domain.com -StrongAuthenticationRequirements $mfa


#Enable MFA for all users (use with CAUTION!)
Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements $mfa

Check the settings
$User = Get-msoluser -UserPrincipalName 'user@domain.com' | Select-Object -ExpandProperty StrongAuthenticationRequirements
$User.State

#List All users and MFA status :            
Connect-MsolService            
            
$Result=@()             
$users = Get-MsolUser -All            
$users | ForEach-Object {            
$user = $_            
if ($user.StrongAuthenticationRequirements.State -ne $null){            
$mfaStatus = $user.StrongAuthenticationRequirements.State            
}else{            
$mfaStatus = "Disabled" }            
               
$Result += New-Object PSObject -property @{             
UserName = $user.DisplayName            
UserPrincipalName = $user.UserPrincipalName            
MFAStatus = $mfaStatus            
}            
}            
$Result | Select UserName,UserPrincipalName,MFAStatus            
            
#List only MFA enabled users :            
Connect-MsolService            
            
$Result=@()             
$users = Get-MsolUser -All            
$users | ForEach-Object {            
$user = $_            
if ($user.StrongAuthenticationRequirements.State -ne $null){            
$mfaStatus = $user.StrongAuthenticationRequirements.State            
}else{            
$mfaStatus = "Disabled" }            
               
$Result += New-Object PSObject -property @{             
UserName = $user.DisplayName            
UserPrincipalName = $user.UserPrincipalName            
MFAStatus = $mfaStatus            
}            
}             
$Result | Where-Object {$_.MFAStatus -ne "Disabled"}            
            
#List only MFA disabled users :            
Connect-MsolService            
            
$Result=@()             
$users = Get-MsolUser -All            
$users | ForEach-Object {            
$user = $_            
if ($user.StrongAuthenticationRequirements.State -ne $null){            
$mfaStatus = $user.StrongAuthenticationRequirements.State            
}else{            
$mfaStatus = "Disabled" }            
               
$Result += New-Object PSObject -property @{             
UserName = $user.DisplayName            
UserPrincipalName = $user.UserPrincipalName            
MFAStatus = $mfaStatus            
}            
}            
$Result | Where-Object {$_.MFAStatus -eq "Disabled"}            
            
#Export 365 users MFA status to CSV file :            
Connect-MsolService            
            
$Result=@()             
$users = Get-MsolUser -All            
$users | ForEach-Object {            
$user = $_            
if ($user.StrongAuthenticationRequirements.State -ne $null){            
$mfaStatus = $user.StrongAuthenticationRequirements.State            
}else{            
$mfaStatus = "Disabled" }            
               
$Result += New-Object PSObject -property @{             
UserName = $user.DisplayName            
UserPrincipalName = $user.UserPrincipalName            
MFAStatus = $mfaStatus            
}            
}            
$Result | Select UserName,UserPrincipalName,MFAStatus | Export-CSV "C:\Temp\O365-Users-MFA-Status.csv" -NoTypeInformation -Encoding UTF8            
            
#Create the StrongAuthenticationRequirement object and insert required settings            
$mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement            
$mf.RelyingParty = "*"            
$mfa = @($mf)            
            
#Enable all disabled users for MFA :            
Connect-MsolService            
            
$Result=@()             
$users = Get-MsolUser -All            
$users | ForEach-Object {            
$user = $_            
if ($user.StrongAuthenticationRequirements.State -ne $null){            
$mfaStatus = $user.StrongAuthenticationRequirements.State            
}else{            
$mfaStatus = "Disabled" }            
               
$Result += New-Object PSObject -property @{             
UserName = $user.DisplayName            
UserPrincipalName = $user.UserPrincipalName            
MFAStatus = $mfaStatus            
}            
}            
$Result | Where-Object {$_.MFAStatus -eq "Disabled"} | Set-MsolUser -StrongAuthenticationRequirements $mfa

Identify users who have registered for MFA and count the number of users.
$Registered = Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName            
$registered            
$registered.count

Identify users who have not registered for MFA and count the number of users.
$NotRegistered = Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName            
$NotRegistered            
$NotRegistered.count

Bulk enable for multiple users in csv file
Enable for multiple users
function Set-MFAUsers {            
    param (            
        [parameter(ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)]            
        [ValidateScript( {Test-Path $_})]              
        [Alias('FullName')]            
        [String] $Path,            
                    
        [ValidateSet('Enabled','Enforced')]            
        [String] $State = 'Enabled'            
    )            
            
    # Set MFA object            
    $MFASetting = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement -Property @{            
        RelyingParty = "*"            
        State        = $State            
    }            
                
    # Get user list            
    $Users = Get-Content -Path $Path -ReadCount -1            
            
    foreach ($user in $users)             
    {            
         $SetUser = @{            
            UserPrincipalName                = $user            
            StrongAuthenticationRequirements = $MFASetting             
            ErrorAction                      = 'Stop'              
        }            
            
        Try {            
            # Set MFA            
            Set-MsolUser @SetUser            
                        
            # Post Check            
            $ThisUser = Get-msoluser -UserPrincipalName $User |             
                Select-Object -ExpandProperty StrongAuthenticationRequirements            
            
            if ($ThisUser.State -eq $SetUser.StrongAuthenticationRequirements.State) {            
                Write-Host "[SUCCESS] UPN: $user" -ForegroundColor Green            
            }            
            else {            
                Write-Host "[FAILED ] UPN: $user" -ForegroundColor Red            
            }            
        }            
        Catch {            
             Write-Warning -Message $_.Exception.Message            
        }               
    }             
}            
            
Get-ChildItem C:\temp\MFA_Users.txt | Set-MFAUsers -State Enforced

No comments:

Post a Comment