Resetting a users Azure AD Multi factor (MFA) requirement
2016, Jun 28
If you find yourself needing to prompt one of your AAD users to re-set up their MFA method, then the following script should serve that purpose.
function Reset-AADUserMFA() {
param (
[Parameter(Mandatory=$true)]
[string] $DirAdminUsername ,
[Parameter(Mandatory=$true)]
[string] $DirAdminPassword ,
[Parameter(Mandatory=$true)]
[string] $UPNToReset
)
Write-Host "Checking for AD Powershell module"
#You'll need to follow the guide here https://technet.microsoft.com/library/jj151815.aspx#bkmk_installmodule
$poshAdFound = get-item $env:SystemRootSystem32WindowsPowerShellv1.0ModulesMSOnlineMicrosoft.Online.Administration.Automation.PSModule.dll -ErrorAction SilentlyContinue
if ($poshAdFound -eq $null) { Write-Host "AD Powershell module not found, install it from here. https://technet.microsoft.com/library/jj151815.aspx#bkmk_installmodule" exit}
Write-Host "Connecting to AD directory"
$securePwString = $DirAdminPassword | ConvertTo-SecureString -AsPlainText -Force
$AdminUserPassword = $null
$Credential = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $DirAdminUsername, $securePwString
Connect-MsolService -credential $Credential
Write-Host "Getting Msol User"
$msolUser = Get-MsolUser -UserPrincipalName $UPNToReset
$mfaRequirements = $msolUser.StrongAuthenticationRequirements
Write-Host "Clearing user Mfa Requirements"
Set-MsolUser -UserPrincipalName $UPNToReset -StrongAuthenticationRequirements @()
Write-Host "Re-enable Mfa Requirements"
Set-MsolUser -UserPrincipalName $UPNToReset -StrongAuthenticationRequirements $mfaRequirements
}
Reset-AADUserMFA -DirAdminUsername "nonmfaadmin@myazureaddirectory.onmicrosoft.com" -DirAdminPassword "mypassword" -UPNToReset "auser@myazureaddirectory.onmicrosoft.com"