Manage-MFA.ps1
|
<#PSScriptInfo .VERSION 1.4 .GUID ad963a82-8f68-4212-8a1d-dfbcceb60f52 .AUTHOR jiri.formacek@greycorbel.com .COMPANYNAME GreyCorbel .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES MSOnline .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES .PRIVATEDATA #> <# .SYNOPSIS Manages state of MFA in Azure AD for given user, or checks status of MFA. .DESCRIPTION This is helper script for user admins that allows manage MFA state for users in scope of management of admin. Operation modes: Enable: Enables MFA for given user, causing him/her to go through MFA onboarding again (if not already done) Disable: Disables MFA, allowing user to log in without MFA Reset: Disables MFA and enables it again immediately CheckStatus: Shows MFA status for given user RequireContactInfo: Requires user to provide contact information again ListContactInfo: Lists contact methods configured for user .OUTPUTS Result of operation .EXAMPLE Manage-MFA.ps1 -User myuser@mydomain.com -Mode Enable Description ----------- This command enables MFA for user myuser@mydomain.com .EXAMPLE 'myuser1@mydomain.com', 'myuser2@mydomain.com' | %{Manage-MFA.ps1 -User $_ -Mode CheckStatus} Description ----------- This command checks status of MFA for multiple users .EXAMPLE 'myuser1@mydomain.com', 'myuser2@mydomain.com' | %{Manage-MFA.ps1 -User $_ -Mode RequireContactInfo} Description ----------- This command resets contact information for MFA for multiple users, requiring them to provide contact information again upon next logon .EXAMPLE 'myuser1@mydomain.com', 'myuser2@mydomain.com' | %{Manage-MFA.ps1 -User $_ -Mode ListContactInfo} | select User -expand Result Description ----------- This command retrieves contact information for MFA for multiple users #> Param ( [Parameter(Mandatory=$true, ValueFromPipeline=$true)] [string] #User you want to manage $User, [Parameter(Mandatory=$true)] [ValidateSet('Enable','Disable','Reset','CheckStatus','RequireContactInfo','ListContactInfo')] [string] #Type of operation: Enable, Disable, Reset, CheckStatus, RequireContactInfo, ListContactInfo $Mode ) Function Manage-MFA { Param ( [Parameter(Mandatory=$true, ValueFromPipeline=$true)] [string]$User, [Parameter(Mandatory=$true)] [ValidateSet('Enable','Disable','Reset','CheckStatus','RequireContactInfo','ListContactInfo')] [string]$Mode ) $propDef = @{'User'=$user;'Result'=$null} $result=New-Object PSCustomObject -Property $propDef if($Mode -eq 'RequireContactInfo') { try { Set-MsolUser -UserPrincipalName $User -StrongAuthenticationMethods @() -ErrorAction Stop $result.Result='ContactDataReset' } catch{$result.Result=$_} } if($mode -eq 'Reset' -or $Mode -eq 'Disable') { #disable MFA try { Set-MsolUser -UserPrincipalName $User -StrongAuthenticationRequirements @() -ErrorAction Stop $result.Result='Disabled' } catch{$result.Result=$_} $result } if($mode -eq 'Reset' -or $Mode -eq 'Enable') { #create MFA setting $Auth= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $Auth.State = 'Enabled' $Auth.RelyingParty='*' $MFA= @($Auth) #enable MFA try { Set-MsolUser -UserPrincipalName $User -StrongAuthenticationRequirements $MFA -ErrorAction Stop $result.Result='Enabled' } catch{$result.Result=$_} $result } if($mode -eq 'CheckStatus') { $sar=(Get-MsolUser -UserPrincipalName $User).StrongAuthenticationRequirements if($sar.Count -eq 0) { $Result.Result= "Disabled" } else { $Result.Result= (Get-MsolUser -UserPrincipalName $User).StrongAuthenticationRequirements.State } $result } if($mode -eq 'ListContactInfo') { $sam=(Get-MsolUser -UserPrincipalName $User).StrongAuthenticationMethods if($sam.Count -eq 0) { $Result.Result= "NoContactMethodsAvailable" } else { $Result.Result= $sam } $result }} #ensure we're connected to MSOnline Get-MsolUser -MaxResults 1 -ErrorAction SilentlyContinue | Out-Null if(!$?) { Connect-MsolService } Manage-MFA -User $User -Mode $Mode |