If you find yourself needing to prompt one of your AAD users to re-set up their MFA method, then the following script should serve that purpose.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
function Reset-AADUserMFA() { param ( [Parameter(Mandatory=$true)] [string] $DirAdminUsername , [Parameter(Mandatory=$true)] [string] $DirAdminPassword , [Parameter(Mandatory=$true)] [string] $UPNToReset ) Write-Host "Checking for AD Powershell module" #You'll need to follow the guide here https://technet.microsoft.com/library/jj151815.aspx#bkmk_installmodule $poshAdFound = get-item $env:SystemRootSystem32WindowsPowerShellv1.0ModulesMSOnlineMicrosoft.Online.Administration.Automation.PSModule.dll -ErrorAction SilentlyContinue if ($poshAdFound -eq $null) { Write-Host "AD Powershell module not found, install it from here. https://technet.microsoft.com/library/jj151815.aspx#bkmk_installmodule" exit} Write-Host "Connecting to AD directory" $securePwString = $DirAdminPassword | ConvertTo-SecureString -AsPlainText -Force $AdminUserPassword = $null $Credential = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $DirAdminUsername, $securePwString Connect-MsolService -credential $Credential Write-Host "Getting Msol User" $msolUser = Get-MsolUser -UserPrincipalName $UPNToReset $mfaRequirements = $msolUser.StrongAuthenticationRequirements Write-Host "Clearing user Mfa Requirements" Set-MsolUser -UserPrincipalName $UPNToReset -StrongAuthenticationRequirements @() Write-Host "Re-enable Mfa Requirements" Set-MsolUser -UserPrincipalName $UPNToReset -StrongAuthenticationRequirements $mfaRequirements } Reset-AADUserMFA -DirAdminUsername "nonmfaadmin@myazureaddirectory.onmicrosoft.com" -DirAdminPassword "mypassword" -UPNToReset "auser@myazureaddirectory.onmicrosoft.com" |
Cloud Solution Architect at Microsoft in the UK.
Does this apply to AAD B2C with MFA enforced through a Sign-in policy? It doesn’t appear that the StrongAuthenticationRequirements attribute is set in this case. We are looking for a way to have our support staff be able to reset the MFA phone number. Our only solution so far is to have a global admin reset the phone number through the portal. Thanks for your help!