Automate AzureAD Multifactor Authentication Enrollment
Overview
This article covers how to automatically enroll users in your Azure AD environment with multi-factor authentication (MFA). This is achieved using Powershell and the Microsoft Graph API. The example will use SMS-based MFA. You can also use the Microsoft Authenticator app alongside SMS, but you cannot automate enrolling app-based MFA.
Requirements
- Account with Graph API permission UserAuthenticationMethod.ReadWrite.All
- List of users with UPN and phone numbers (example CSV below)
- Phone number format needs to be country code + phone number with no spaces
- ActiveDirectory Powershell module (for certain scenarios)
Example list of users
UPN | Number |
user1@domain.com | 0400123456 |
user2@domain.com | 0400123457 |
Connecting to MS Graph
Set-PSRepository -name PSGallery -InstallationPolicy Trusted
Install-module Microsoft.Graph.Identity.Signins -Scope CurrentUser
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
Select-MgProfile -Name beta
If successful, you should see Welcome to Microsoft Graph!
Add MFA method & add user to AD group (optional)
Import-Module ActiveDirectory
$csv = Import-CSV C:\temp\users.csv
foreach($row in $csv) {
$upn = $row.upn
$number = "+61" + $row.number
New-MgUserAuthenticationPhoneMethod -UserId $upn -phoneType "mobile" -phoneNumber $number
Add-ADGroupMember -Identity "MFA_Users" -members $row
}
To confirm this worked, you can check using the command
Get-MgUserAuthenticationphoneMethod -userid user1@domain.com
Id PhoneNumber PhoneType SmsSignInState
-- ----------- --------- --------------
00000000-0000-0000-0000-000000000000 +61 0400123456 mobile notAllowedByPolicy
More information
You can refer to the official Microsoft Graph API documentation for this cmdlet here.
Conclusion
Thanks for reading this article. I'm new to public technical writeups, and hope to grow through consistency, reading other blogs and receiving feedback.