Resetting a users Azure AD Multi factor (MFA) requirement

2016, Jun 28    

If you find yourself needing to prompt one of your AAD users to re-set up their MFA method, then the following script should serve that purpose.

function Reset-AADUserMFA() {
    param (	
        [Parameter(Mandatory=$true)]
        [string] $DirAdminUsername ,
        [Parameter(Mandatory=$true)]
        [string] $DirAdminPassword ,
        [Parameter(Mandatory=$true)]
        [string] $UPNToReset
    )
    
    Write-Host "Checking for AD Powershell module"
    #You'll need to follow the guide here https://technet.microsoft.com/library/jj151815.aspx#bkmk_installmodule
    $poshAdFound = get-item $env:SystemRootSystem32WindowsPowerShellv1.0ModulesMSOnlineMicrosoft.Online.Administration.Automation.PSModule.dll -ErrorAction SilentlyContinue
    if ($poshAdFound -eq $null) { Write-Host "AD Powershell module not found, install it from here. https://technet.microsoft.com/library/jj151815.aspx#bkmk_installmodule" exit}

    Write-Host "Connecting to AD directory"
    $securePwString = $DirAdminPassword | ConvertTo-SecureString -AsPlainText -Force
    $AdminUserPassword = $null
    $Credential = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $DirAdminUsername, $securePwString
    Connect-MsolService -credential $Credential

    Write-Host "Getting Msol User"
    $msolUser = Get-MsolUser -UserPrincipalName $UPNToReset
    $mfaRequirements = $msolUser.StrongAuthenticationRequirements

    Write-Host "Clearing user Mfa Requirements"
    Set-MsolUser -UserPrincipalName $UPNToReset -StrongAuthenticationRequirements @()

    Write-Host "Re-enable Mfa Requirements"
    Set-MsolUser -UserPrincipalName $UPNToReset -StrongAuthenticationRequirements $mfaRequirements
}    

Reset-AADUserMFA -DirAdminUsername "nonmfaadmin@myazureaddirectory.onmicrosoft.com" -DirAdminPassword "mypassword" -UPNToReset "auser@myazureaddirectory.onmicrosoft.com"