Enable MFA on Office 365

Hi there

In this article I’m covering how to enable MFA for all users based on get-msoluser queries

First of all let’s cover some basics on get-msoluser commands.

List all licensed users on your subscription

Get-MsolUser -All | where {$_.isLicensed -eq $true}

List all unlicensed users on your subscription

Get-MsolUser -All -UnlicensedUsersOnly

List all unlicensed users excluding #EXT# (Guests users) and *Sync* (Azure AD connect synchronization accounts)

Get-MsolUser -All -UnlicensedUsersOnly | Where-Object {($_.userprincipalname -notlike “*EXT*”) -and ($_.userprincipalname -notlike “*Sync*”)}

List the same as previous by domain name that contains collabcan.com

Get-MsolUser -All -UnlicensedUsersOnly | Where-Object {($_.userprincipalname -notlike “*EXT*”) -and ($_.userprincipalname -notlike “*Sync*”)} | Where-Object {$_.userprincipalname -like “*collabcan.com”}

Now that we’re familiar with get-msoluser let’s add our loop to grab user’s UPN (userprincipalname)

Enable MFA for all licensed users.

# Eanble MFA
# Uncomment the line with $Set-Msoluser after you test this out

$users = Get-MsolUser -All | where {$_.isLicensed -eq $true} | Where-Object {($_.userprincipalname -notlike "*EXT*") -and ($_.userprincipalname -notlike "*Sync*")}
foreach ($user in $users)
{
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
write-host -ForegroundColor Cyan "working on user" $user.userprincipalname
#Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta

}

#End

Disable MFA for all licensed users.

# Disable MFA for all licensed users (exclude SYNC and EXT)
$users = Get-MsolUser -All | where {$_.isLicensed -eq $true} | Where-Object {($_.userprincipalname -notlike "*EXT*") -and ($_.userprincipalname -notlike "*Sync*")}
foreach ($user in $users)
{
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
write-host -ForegroundColor Cyan "working on user" $user.userprincipalname
#Set-MsolUser -UserPrincipalName $user.userprincipalname -StrongAuthenticationRequirements @()
}
#End

Share if you liked it.

Reference
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Thanks,

Thiago Beier