Ruud-Mens
commented
2 years ago Do you mean the MFAEnableForUser.ps1 script? As far as I know it still works, the code is part of my onboarding script.
Closed TTVert closed 9 months ago
Ruud-Mens
commented
2 years ago Do you mean the MFAEnableForUser.ps1 script? As far as I know it still works, the code is part of my onboarding script.
TTVert
commented
2 years ago Yes sorry, that one. When was the last time you onboarded an employee with it? Reason I ask is my script is essentially the same behind the scenes as yours. Mine “still” works in that it will enable MFA, enforce it, add the mobile # and also set the MFA type but when trying to log in MFA is borked. It just gives that we're having trouble verifying your account" for any account I use this script for. At this point it is for onboarding.
Ruud-Mens
commented
2 years ago The last account was around 2 weeks ago. But I will test the script in my dev tenant.
Ruud-Mens
commented
2 years ago Just tested it with a new account, and it works fine. But if I understand you correctly you already enter the mobile phone number for them in the MFA settings?
In my case, the user gets a notification after entering username + password, that more information is required. At that point, they can connect their Authenticator app and/or configure SMS auth
TTVert
commented
2 years ago Sorry let me be a bit more detailed. I will include my goal and script below. My script was basically for the normal small onboarding tasks but i saw your script could use a CSV which appealed to me given the task at hand (I will explain below)
Use Case: We are implementing MFA across a very large number of devices for technicians (Over 500) and due to security reasons the MFA code will be sent to one individuals phone number via SMS. My goal (And this used to function in this manner) is to not have to have the end user perform any steps aside form putting in the MFA code texted to them. No verification of number, no additional steps, etc. as at this level it would be very time consuming.
Goal:
Script: Basically it prompts for UPN and the phone number, enforces/enables MFA, sets and then displays the phone # that was added (In case of a typo by the person doing this)
`#Ensure to Connect-MsolService as tenant admin first . WILL NOT work using delegate permissions.
#This will prompt for email and phone #. It will then enable MFA/Strong auth, add a phone # and default to SMS for approval.
$User = Read-Host -Prompt 'User email address'
$mobilenumber ="+1 " + (Read-Host -Prompt 'User cell phone')
Set-MsolUser -UserPrincipalName $user -MobilePhone $mobilenumber
#enforce MFA
$st = New-Object -TypeName
Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = “Enabled”
$sta = @($st)
#Enable MFA for the user
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
#Set SMS as default MFA method
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $true
$m1.MethodType="OneWaySMS"
$m=@($m1)
#Set SMS as default
set-msoluser -Userprincipalname "$user" -StrongAuthenticationMethods $m
#Display new mobile #
Get-MsolUser -UserPrincipalName $user | fl MobilePhone`
What is occurring now when using this:
When I attempt to log in as this user I am greeted w/ the following, it doesn't even try to auth via MFA it just shows this screen on the left. If I click the text option (I shouldn't if there is only one auth method) i get that right screen.
Comparing a working MFA account (Set up manually) to this account (Set up w/ script) side by side the only difference I see MFA wise is that the working MFA account does not even show a mobile # in the mobilephone variable and StrongAuthenticationUserDetails is empty for the non working account (using my script) whereas the working one (manual setup) shows StrongAuthenticationUserDetails : Microsoft.Online.Administration.StrongAuthenticationUserDetails
Thanks for any input you have
I had a similar script and about a year ago it stopped working. Basically MFA was enforced and the phone # was added correctly and verified via PS but when I would try to log in it would have the text icon which when I clicked on I would get "we're having trouble identifying your account". My script (Similar to yours) worked fine up until that point. Wonder if you ever experienced this?