Security Focus: Enable / Disable MFA on Azure AD Admin Account

Last week I presented a little function that I use to reset my Azure AD admin account passwords.

This week I want to show how to enable / disable Multi Factor Authentication on an Azure AD account.
 
Enable

 
$St = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$St.RelyingParty = "*"
$Sta = @($St)
Set-MsolUser -UserPrincipalName ifarr@contoso.com -StrongAuthenticationRequirements $Sta 

 

Disable

 
$Sta = @()
Set-MsolUser -UserPrincipalName ifarr@contoso.com -StrongAuthenticationRequirements $Sta 

Comments

• Anonymous
  February 10, 2017
  Great stuffThanks
• Anonymous
  March 14, 2017
  Exactly what i was looking for, How to Disable MFA for O365 User via Powershell.
• Anonymous
  October 24, 2017
  Hi Ian,Enforcing MFA still requires the user to provide the additional security verification details themself...Preferably, I would pre-populate that fields with the known Email and Mobile Phone number. I've been able to setup these details in a local object (see snippet below), but how do I update the user with this?!?Thanks for your reply!# Set MFA User Details?$sad = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationUserDetails$sad.PhoneNumber = $user.MobilePhone$sad.Email = $user.AlternateEmailAddresses$sad# -> How to SET the MFA properties to the User?!? Set-MsolUser has no parameter to do so...
• Anonymous
  November 19, 2018
  There is any single command to disabled MFA for all users …?