We’ve been asked many times to do a bulk pre-registration for Azure Active Directory MFA to provide our customers’ users more Seamless Single Sign on and smooth for MFA rolling out.
This script helping you to:

  1. Configure MFA Strong Authentication Methods
  2. Set a default MFA authentication method for all users or number of users.
  3. Update Mobile Number for a List of users.
  4. Update Strong Authentication Methods for List of users
  5. Get MFA Strong Authentication Details for all users.
  6. Get MFA Authentication contact info where the phone number is Null
  7. Update Mobile Number Only If user Mobile is not exist

NOTE : Before we proceed with MFA and SSPR Enablement and configuration, Users will be able to change their Authentication mobile phone number whenever they need to, Admins won’t have a control on Authentication mobile phone number however they can pre-define them but still users will be able to change it.


Keep in mind:

  • If you have provided a value for Mobile phone or Alternate email, users can immediately use those values to reset their passwords, even if they haven’t registered for the service. In addition, users see those values when they register for the first time, and they can modify them if they want to. After they register successfully, these values are persisted in the Authentication Phone and Authentication Email fields, respectively.
  • If the Phonefield is populated and Mobile phone is enabled in the SSPR policy, the user sees that number on the password reset registration page and during the password reset workflow.
  • The Alternate phonefield isn’t used for password reset.
  • If the Emailfield is populated and Email is enabled in the SSPR policy, the user sees that email on the password reset registration page and during the password reset workflow.
  • If the Alternate emailfield is populated and Email is enabled in the SSPR policy, the user won’t see that email on the password reset registration page, but they see it during the password reset workflow.

Download here.

 
 
Script In details. 
Parameters

$UsersCSV = “<Users CSV File Path>” # Example C:\Temp\UsersMFA.csv

$OutPutFolder = “C:\Temp” # Example C:\Temp

If User Mobile is exist (AD users with specific AD attribute NOT null)

Get-AzureADUser | select UserPrincipalName, Mobile | Where-Object { $_.Mobile -ne $null }

  
Bulk Pre-Register MFA For Users Without Forcing MFA
If User Mobile is exist (AD users with specific AD attribute is null)

Get-AzureADUser | select UserPrincipalNameMobile | Where-Object { $_.Mobile -eq $null }

Bulk Pre-Register MFA For Users Without Forcing MFA
#Get All
Users Details

Get-AzureADUser | select DisplayName, UserPrincipalName, otherMails, Mobile, TelephoneNumber | Format-Table

Bulk Pre-Register MFA For Users Without Forcing MFA
List
users “Authentication contact info” attributes from AzureAD
 

Get-MsolUser -All | select DisplayName -ExpandProperty StrongAuthenticationUserDetails | ft DisplayName, PhoneNumber, Email | Out-File $OutPutFolder“\StrongAuthenticationUserDetails.csv” -Verbose

 
 
List
users “Authentication contact info where Phone number is Null”
attributes from AzureAD
 

Get-Msol
User
-All | select DisplayName -ExpandProperty StrongAuthenticationUserDetails | Where-Object { $_.PhoneNumber -eq $null } | ft DisplayName, PhoneNumber, Email | Out-File $OutPutFolder“\StrongAuthenticationUserPhoneNumberNull.csv” -Verbose

Bulk Pre-Register MFA For Users Without Forcing MFA
StrongAuthenticationUserPhoneNumber File Details 
 
Bulk Pre-Register MFA For Users Without Forcing MFA
List
users “Strong Authentication Methods” attributes from AzureAD

Get-MsolUser -All | select DisplayName, UserPrincipalName -ExpandProperty StrongAuthenticationMethods | select UserPrincipalName, IsDefault, MethodType

Bulk Pre-Register MFA For Users Without Forcing MFA
All
users who have signed up for SSPR.

(get-msoluser -All | Where { $_.StrongAuthenticationUserDetails
-ne $null })

All
users who have not signed up for SSPR

(get-msoluser -All | Where { $_.StrongAuthenticationUserDetails
-eq $null })

 
Bulk Pre-Register MFA For Users Without Forcing MFA
Update
Mobile Number for List of users

Import-CSV -Path $UsersCSV | ForEach-Object {
     Set-AzureADUser -ObjectId $_.UserPrincipalName
-Mobile $_.Mobile -ErrorAction SilentlyContinue}

Bulk Pre-Register MFA For Users Without Forcing MFA
Microsoft
StrongAuthenticationMethod Parameters
 
 
$OneWaySMS = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$OneWaySMS.IsDefault = $false
$OneWaySMS.MethodType = “OneWaySMS”
$TwoWayVoiceMobile = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$TwoWayVoiceMobile.IsDefault = $true
$TwoWayVoiceMobile.MethodType = “TwoWayVoiceMobile”
$PhoneAppNotification = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$PhoneAppNotification.IsDefault = $false
$PhoneAppNotification.MethodType = “PhoneAppNotification”
$PhoneAppOTP = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$PhoneAppOTP.IsDefault = $false
$PhoneAppOTP.MethodType = “PhoneAppOTP”
$methods = @($OneWaySMS, $TwoWayVoiceMobile, $PhoneAppNotification, $PhoneAppOTP)
 
Bulk Pre-Register MFA For Users Without Forcing MFA
Set
Default Strong Authentication Methods for List of users

Import-CSV -Path $UsersCSV | Foreach-Object {
     Set-MsolUser -UserPrincipalName $_.UserPrincipalName
-StrongAuthenticationMethods $methods} -ErrorAction SilentlyContinue

 
Bulk Pre-Register MFA For Users Without Forcing MFA
Pre-register
authentication Info for List of users.

Import-CSV -Path $UsersCSV | ForEach-Object {
     Set-AzureADUser -ObjectId $_.UserPrincipalName
-OtherMails $_.OtherMails -Mobile $_.Mobile -TelephoneNumber $_.TelephoneNumber -ErrorAction SilentlyContinue}

 
Bulk Pre-Register MFA For Users Without Forcing MFA
Share:

administrator

Microsoft MVP | Speaker | Azure Service Delivery Lead at Bespin Global MEA, helping customers build successful Azure practices. Talks about #AzureCloud and #AI