Enable/Disable/Reset MFA with Powershell
How does one enable, disable, and reset a user’s MFA in Office 365? I was surprised by how much is required for enabling MFA.
Enable MFA
The first thing we do is Get the User from the Get-MsolUser.
$user = Get-MsolUser -UserPrincipalName $UPN
Next, we create a Strong Authentication object using the New-Object.
$SAR = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
Now the object is created, you can review the object by using the Get-Member command. This object has 4 properties and 4 methods. We can now edit the properties. We will edit the RelyingParty and state.
$sar.RelyingParty = "*"
$sar.State = "Enabled"
Now we place the edited items into the user’s account.
$sarobject = @($sa)
Set-MsolUser -UserPrincipalName $user.Userprincipalname -StrongAuthenticationRequirements $sarobject
The Script
$user = Get-MsolUser -UserPrincipalName $UPN
$SAR = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequiremen $sar.RelyingParty = "*"
$sar.State = "Enabled"
$sarobject = @($sa)
Set-MsolUser -UserPrincipalName $user.Userprincipalname -StrongAuthenticationRequirements $sarobjec
Disable MFA
Disabling MFA is extremely easy compared to enabling it. It’s as simple as putting a blank object inside the strong authentication requirements flag.
Set-MsolUser -UserPrincipalName $user.Userprincipalname -StrongAuthenticationRequirements @()
Reset MFA
The last one is to reset the MFA. Microsoft created a commandlet just for this case. The command is Reset-MsolStrongAuthenticationMethodByUpn.
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user.Userprincipalname
I hope this helps out.