Azure-docs: How to enable/enforce MFA with Azure AD V2 PowerShell module

Created on 28 Jun 2018 · 13Comments · Source: MicrosoftDocs/azure-docs

PowerShell code here showed is targeting the old and "_almost deprecated_" MSOnline module. As stated here:

_Customers are encouraged to use the newer Azure Active Directory V2 PowerShell module instead of this module_

But, AFAIK, there's no way to enable MFA with the V2 Azure AD module. Please correct me!

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 4cb129d2-9594-bf0c-5946-982f0ed0d888
Version Independent ID: 6522b038-6853-3552-55c8-f174cf56573d
Content: Microsoft Azure Multi-Factor Authentication User States
Content Source: articles/active-directory/authentication/howto-mfa-userstates.md
Service: active-directory
GitHub Login: @MicrosoftGuyJFlo
Microsoft Alias: joflore

Pri1 active-directorsvc cxp in-progress product-question triaged

Source

PaoloCastAway

😕2

Most helpful comment

Can we reopen this? We should be able to manage MFA using Graph / AzureAD 2.0

crusadin on 30 Jan 2019

👍6

All 13 comments

@PaoloCastAway Thanks for your feedback! We will investigate and update as appropriate.

MohitGargMSFT on 28 Jun 2018

@PaoloCastAway Yes, you are correct V2 version of Azure AD PowerShell module does not have any cmdlet to accomplish this. You need to use the older V1 version of the AAD PowerShell Module (MSOL Powershell) to do this.

SaurabhSharma-MSFT on 1 Jul 2018

@PaoloCastAway We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

SaurabhSharma-MSFT on 3 Jul 2018

@SaurabhSharma-MSFT

I see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#use-powershell tell it can modify MFA using

    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = “Enabled”
    $sta = @($st)
    Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements $sta

But, when I want to Disabled using $st.State = "Disabled". It show error.

Set-MsolUser : Invalid value for parameter.  Parameter Name: StrongAuthenticationRequirements.
At line:1 char:1
+ Set-MsolUser -UserPrincipalName [email protected] -StrongAuthentic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.PropertyValidationException,Microsoft.Online.
   Administration.Automation.SetUser

How I should disabled the MFA using Powershell?

berviantoleo on 1 Oct 2018

I'm running into this issue with the AzureAD v2.0 module not supporting MFA management. Any updates on Microsoft getting that functionality built in so that we don't have to keep using the MSOnline v1.0 module which Microsoft keeps telling us we shouldn't use because it's deprecated?

jeremytbrun on 17 Oct 2018

👍4

Spent a while trying to figure out how to do this and disappointing that it's missing. Any update on when this might get resolved?

mrrothe on 2 Nov 2018

@berviantoleo

You can disable MFA like this. Try it and hope it works fine!

$sta = @()
Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements $sta

matkjin on 6 Dec 2018

Can we reopen this? We should be able to manage MFA using Graph / AzureAD 2.0

crusadin on 30 Jan 2019

👍6

This has to be reopened. How can we manage MFA when MSOlUser will be removed?

ivanfioravanti on 11 Feb 2019

👍3

Please consider managing/queries of MFA status using AzureAD

rolambert on 11 Feb 2019

👍2

Please vote here https://feedback.azure.com/forums/34192--general-feedback/suggestions/36816202-set-mfa-using-azure-active-directory-powershell-mo

cpunella on 11 Feb 2019

@ktoliver sorry to bother you, but I saw you were actively working on the Azure GitHub documentation section, so I thought I'd link you to this post in the hopes you could bring this to the attention of the appropriate team.

Tl;dr: There is currently no method to enable MFA using the PowerShell V2 module and V1 is deprecated.