But enabling MFA for one user is a bit more difficult.
Here's how to do it:
Enable MFA per user
#Create the StrongAuthenticationRequirement object and insert required settings
$mf
=
New-Object
-TypeName
Microsoft.Online.Administration.StrongAuthenticationRequirement
$mf
.RelyingParty =
"*"
$mfa
= @(
$mf
)
#Enable MFA for a user
Set-MsolUser
-UserPrincipalName
userprinciplename@domain.com -StrongAuthenticationRequirements
$mfa
#Enable MFA for all users (use with CAUTION!)
Get-MsolUser
-All
|
Set-MsolUser
-StrongAuthenticationRequirements
$mfa
Check the settings
$User = Get-msoluser -UserPrincipalName 'user@domain.com' | Select-Object -ExpandProperty StrongAuthenticationRequirements $User.State
#List All users and MFA status : Connect-MsolService $Result=@() $users = Get-MsolUser -All $users | ForEach-Object { $user = $_ if ($user.StrongAuthenticationRequirements.State -ne $null){ $mfaStatus = $user.StrongAuthenticationRequirements.State }else{ $mfaStatus = "Disabled" } $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName MFAStatus = $mfaStatus } } $Result | Select UserName,UserPrincipalName,MFAStatus #List only MFA enabled users : Connect-MsolService $Result=@() $users = Get-MsolUser -All $users | ForEach-Object { $user = $_ if ($user.StrongAuthenticationRequirements.State -ne $null){ $mfaStatus = $user.StrongAuthenticationRequirements.State }else{ $mfaStatus = "Disabled" } $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName MFAStatus = $mfaStatus } } $Result | Where-Object {$_.MFAStatus -ne "Disabled"} #List only MFA disabled users : Connect-MsolService $Result=@() $users = Get-MsolUser -All $users | ForEach-Object { $user = $_ if ($user.StrongAuthenticationRequirements.State -ne $null){ $mfaStatus = $user.StrongAuthenticationRequirements.State }else{ $mfaStatus = "Disabled" } $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName MFAStatus = $mfaStatus } } $Result | Where-Object {$_.MFAStatus -eq "Disabled"} #Export 365 users MFA status to CSV file : Connect-MsolService $Result=@() $users = Get-MsolUser -All $users | ForEach-Object { $user = $_ if ($user.StrongAuthenticationRequirements.State -ne $null){ $mfaStatus = $user.StrongAuthenticationRequirements.State }else{ $mfaStatus = "Disabled" } $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName MFAStatus = $mfaStatus } } $Result | Select UserName,UserPrincipalName,MFAStatus | Export-CSV "C:\Temp\O365-Users-MFA-Status.csv" -NoTypeInformation -Encoding UTF8 #Create the StrongAuthenticationRequirement object and insert required settings $mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $mf.RelyingParty = "*" $mfa = @($mf) #Enable all disabled users for MFA : Connect-MsolService $Result=@() $users = Get-MsolUser -All $users | ForEach-Object { $user = $_ if ($user.StrongAuthenticationRequirements.State -ne $null){ $mfaStatus = $user.StrongAuthenticationRequirements.State }else{ $mfaStatus = "Disabled" } $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName MFAStatus = $mfaStatus } } $Result | Where-Object {$_.MFAStatus -eq "Disabled"} | Set-MsolUser -StrongAuthenticationRequirements $mfa
Identify users who have registered for MFA and count the number of users.
$Registered = Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName $registered $registered.count
Identify users who have not registered for MFA and count the number of users.
$NotRegistered = Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName $NotRegistered $NotRegistered.count
Bulk enable for multiple users in csv file
Enable for multiple users
function Set-MFAUsers { param ( [parameter(ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)] [ValidateScript( {Test-Path $_})] [Alias('FullName')] [String] $Path, [ValidateSet('Enabled','Enforced')] [String] $State = 'Enabled' ) # Set MFA object $MFASetting = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement -Property @{ RelyingParty = "*" State = $State } # Get user list $Users = Get-Content -Path $Path -ReadCount -1 foreach ($user in $users) { $SetUser = @{ UserPrincipalName = $user StrongAuthenticationRequirements = $MFASetting ErrorAction = 'Stop' } Try { # Set MFA Set-MsolUser @SetUser # Post Check $ThisUser = Get-msoluser -UserPrincipalName $User | Select-Object -ExpandProperty StrongAuthenticationRequirements if ($ThisUser.State -eq $SetUser.StrongAuthenticationRequirements.State) { Write-Host "[SUCCESS] UPN: $user" -ForegroundColor Green } else { Write-Host "[FAILED ] UPN: $user" -ForegroundColor Red } } Catch { Write-Warning -Message $_.Exception.Message } } } Get-ChildItem C:\temp\MFA_Users.txt | Set-MFAUsers -State Enforced