O365 - Multifactor Auth - Access Authentication Phone via Powershell

Is is possible to get/set Authentication Phone via Powershell? I found some old documentation that says this is possible via the old MSOnline module but I cannot find anything in the new AzureAD module.

Old Property: StrongAuthenticationUserDetails

MSOnline Doc

enter image description here

3 Answers

Using below code, you can get a list of MFA enabled users with Authentication Phone number.

$Result=""
$Results=@()
Get-MsolUser -All | where{$_.StrongAuthenticationRequirements.State -ne ""}
| foreach{ $DisplayName=$_.DisplayName $MFAPhone=$_.StrongAuthenticationUserDetails.PhoneNumber
$Result=@{'DisplayName'=$DisplayName;'MFAPhone'=$MFAPhone}
$Results= New-Object PSObject -Property $Result
$Results | Select-Object DisplayName,MFAPhone | Export-CSV <FilePath> -Append -NoType
}

Else, you can try below PowerShell script.

enter image description here

4

A little rewrite of Kathy's answer

Get-MsolUser -All | where{ $_.StrongAuthenticationRequirements.State -ne ""
} | Select DisplayName,@{Name="MFAPhone";Expression={$_.StrongAuthenticationUserDetails.PhoneNumber}} | Export-CSV -NoType <Filename>
0

It is indeed, though it's important to note that the AzureAD module has not matured enough to replace the MSOnline (Msol) module altogether, yet.

To install the module please see later part of this page:

You need to create a StrongAuthenticationMethod object and use the Set-MsolUser cmdlet as follows:

I've written this script which contains all four strong authentication methods. Adjust as required.

# Check Msol module installed and imported
If ((Get-Module -Name MSOnline)[0] -eq $null) { Install-Module -Name MSOnline -Force -AllowClobber
}
else
{ Import-Module -Name MSOnline
}
# Popup login page if not logged in
Connect-MsolService
# Define variables (or adjust script to read from data source and loop)
$UserPrincipalName = ""
$MobileNumber = "+01 234 567 890"
$AlternateMobiles = @("+02 345 678 901", "+03 456 789 012")
# Create new SAM objects
<# Supported SAM types: OneWaySMS - Text code sent to mobile PhoneAppOTP - Authenticator code PhoneAppNotification - Push notification TwoWayVoiceMobile - Phone call Note: Probably not able to use the App methods unless enrolled
#>
$SAM1 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$SAM2 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$SAM3 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$SAM4 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
# Configure as required
$SAM1.IsDefault = $true # <<<< Is default method
$SAM1.MethodType = "OneWaySMS"
$SAM2.IsDefault = $false
$SAM2.MethodType = "PhoneAppOTP"
$SAM3.IsDefault = $false
$SAM3.MethodType = "PhoneAppNotification"
$SAM4.IsDefault = $false
$SAM4.MethodType = "TwoWayVoiceMobile"
$SAMethods = @($SAM1, $SAM2, $SAM3, $SAM4)
Set-MsolUser -UserPrincipalName $UserPrincipalName -StrongAuthenticationMethods $SAMethods ` -MobilePhone $MobileNumber -AlternateMobilePhones $AlternateMobiles
2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like