Update-EntraBetaUserAuthenticationRequirement
Update the MFA Status of a user.
Syntax
Update-EntraBetaUserAuthenticationRequirement
-UserId <String>
-PerUserMfaState <String>
[<CommonParameters>] Description
The Update-EntraBetaUserAuthenticationRequirement cmdlet is used to update the MFA status of a user.
Note: Enabled users automatically switch to Enforced once they register for Microsoft Entra MFA. Avoid manually setting a user to Enforced unless they're already registered or it’s acceptable for them to experience interruptions with legacy authentication protocols.
In delegated scenarios with work or school accounts, where the signed-in user acts on behalf of another user, they must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles are supported:
- Authentication Administrator
- Privileged Authentication Administrator
Examples
Example 1: Update delegated permission grant scope
Connect-Entra -Scopes 'Policy.ReadWrite.AuthenticationMethod'
Update-EntraBetaUserAuthenticationRequirement -UserId 'SawyerM@Contoso.com' -PerUserMfaState 'enabled'This command updates the MFA status of a user.
-UserIdparameter specifies the ID (as a User Principle Name or ObjectId) of a user in Microsoft Entra ID.-PerUserMfaStateparameter specifies the user's status for per-user multifactor authentication, with possible values:enforced,enabled, ordisabled.
Parameters
-PerUserMfaState
The user's status for per-user multifactor authentication, with possible values: enforced, enabled, or disabled.
Disabled - The default state for a user not enrolled in per-user Microsoft Entra multifactor authentication.
Enabled - The user is enrolled in per-user Microsoft Entra multifactor authentication, but can still use their password for legacy authentication. If the user has no registered MFA authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as when they sign in on a web browser).
Enforced - The user is enrolled per-user in Microsoft Entra multifactor authentication. If the user has no registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as when they sign in on a web browser). Users who complete registration while they're Enabled are automatically moved to the Enforced state.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UserId
Specifies the ID (as a User Principle Name or ObjectId) of a user in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Notes
Enabled users are automatically switched to Enforced when they register for Microsoft Entra multifactor authentication. Don't manually change the user state to Enforced unless the user is already registered or if it's acceptable for the user to experience interruption in connections to legacy authentication protocols.