Azure MFA – Enabling Users with PowerShell

This post is part of a series, for the series contents see: Azure MFA

Permissions

With all the vital components in place I can now MFA enable a user but in order to do so I need an account with Global Admin rights over my Azure AD.

I think this is pretty ridiculous because, for me, enabling/disabling users for MFA should be a standard first line help desk activity and I reckon most organisations won’t be giving their first line teams full Global Admin rights.  It doesn’t really fit within a role based access model.  I raised it with Microsoft and, thankfully, was told that more granular permissions are on the way by the end of the year (2017 at the time of writing) so, hopefully soon, if not already, it’ll be possible to give MFA enablement rights to custom admin roles or those permissions will be added into the user administrator role.

In my case I decided to give my test “itadmin” account those rights so I logged into the portal and changed to my irankon directory.

MFA Enable Directory Choice

Then I went to my itadmin user and in the roles section gave them full Global Admin rights:

MFA Enable Global Admin

Enabling a User

The first step is to get connected up to Azure AD


#Get connected up to Azure AD using Global Admin Credentials
Import-Module MSOnline

$Credential = Get-Credential

Connect-MsolService -Credential $Credential

Next up, define the authentication options, including setting MFA to be enabled:


#First define auth options
$auth = New-Object `
-TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = "*"

#Set the option to enable MFA
$auth.State = "Enabled"

#Set MFA so that as of the current date
#devices issued to the user will also require MFA
$auth.RememberDevicesNotIssuedBefore = (Get-Date)

Then, finally, let’s bring it all together to enable our itadmin user:


#Next define our user and enable them for MFA
$UserPrincipleName = "itadmin@irankon.tk"

Set-MsolUser `
​-UserPrincipalName $UserPrincipleName `
-StrongAuthenticationRequirements $auth

Now when “itadmin” next logs in they will be prompted to set themselves up with a second factor of authentication.

Disabling Users

This is going to be short and sweet!

To disable a user for MFA you just need to clear their “StrongAuthenticationRequirements” setting:


#Disable the user:
Set-MsolUser `
​-UserPrincipalName $UserPrincipleName `
-StrongAuthenticationRequirements @()

Licensing Users

As mentioned before there are pretty much three ways to sort out your Azure MFA licensing:

  1. Purchase MFA specific licenses and assign them to your users.  With this method you don’t need to create a cloud based MFA provider, in fact, if you do, you could end up paying twice.
  2. Purchase license bundles that include MFA such as Azure AD Premium (P1 or P2), E5, or EMS + Security E3 licenses.  Again, with this method you don’t need to create a cloud based MFA provider.
  3. Setup a cloud based MFA provider and pay on an Opex/Capacity basis, either per user using that provider or per authentication.

There’s a Microsoft article that probably explains it better than I do here.

If you’re doing either of the first two options then you’re going to want to give your users a license so here’s the PowerShell for that.

First of all, you will want to check the licenses you have available to you by running:


#Verify what licenses you have with:
Get-MsolAccountSku

Results will be returned in the format domain:licenseSKU so, for example:

irankontk:MFA_STANDALONE

You can then add that license SKU to a user with:


Set-MsolUserLicense `
-UserPrincipalName $UserPrincipleName `
-AddLicenses “irankontk:MFA_STANDALONE”

With some of the more complex license packs, such as EMS, you might want to add just one part of that pack but not the rest.  To do that you need to define some license options that identify the bits you want to exclude:


#Define the options we want, in our case MFA only
$licenseOptions = New-MsolLicenseOptions `
-AccountSkuId irankontk:EMS `
-DisabledPlans RMS_S_PREMIUM,INTUNE_A,RMS_S_ENTERPRISE,AAD_PREMIUM

Then use those exclusions when adding a license to a user:


#Apply a license using those options
Set-MsolUserLicense `
-UserPrincipalName $UserPrincipleName `
-AddLicenses irankontk:EMS `
-LicenseOptions $licenseOptions

And that’s it.  I’ll post a tool belt style script in an upcoming entry that puts the licensing and enablement code into functions so it can be run against batches of users to setup them up.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: