(Bulk) pre-register MFA for users without enable MFA on the account


One of the security challenges when using Azure MFA in combination with Conditional Access is the fact that the MFA registration will occur when the user accesses the particular application that is protected the first time.

But sometime that might not be the case for days or even month, for example if MFA is only required by conditional access if the users is outside the corporate network or the application is only used very rarely.

In the meantime when the credentials of that users are leaked it is possible for an attacker to do the MFA setup instead of the intended user.

However some companies prefer to pre-enroll or pre-register their users when their account is created in Azure AD. But what not should happen is that we enable Azure MFA for the account of the user we just want to pre-populate one or two authentication methods (mobile phone in fact).

But how can we do that:

  1. Make sure you synchronize the mobile attribute from on-Premises to Azure AD with Azure AD Connect (the default rules will do that)
  2. Populate the StrongAuthenticationMethods with the Set-MsolUser cmdlet.
  3. But do NOT set the StrongAuthenticationRequirements (those will enable MFA on the account, which is not what we want)

 

Here is the script to pre-populate the authentication methods (SMS OTP and Mobile Voice Call):

 

Note:

Users can of course change the MFA settings on their own, add the authenticator app as the primary method for example, but the advantage of this is that in order to change MFA settings the users will be forced to do MFA first.
As long as the user has not setup their own mobile phone number for MFA which is stored in the StrongAuthenticationUserDetails (Phone attribute) the synchronized mobile is used.

 

Advertisements

Author: Peter Stapf

Senior Consultant Identity and Access

15 thoughts on “(Bulk) pre-register MFA for users without enable MFA on the account”

  1. Do you know how i could directly configure MFA for the user? I have another MFA solution in place and i know the number where the users want to receive SMS for MFA (This does not always equal to their Business Mobile Number). Can I configure the number using Powershell? Thanks

    1. Sadly you can currently only work with the mobile number, which in general contains mostly the company mobile phone.
      You cannot set the attributes that the user will edit when registering for MFA currently.
      This maybe will come in the near future when those attributes are exposed to Graph which is currently not possible.
      So I only know the method described here by setting the mobile attribute in AD and sync, or in case of cloud only account set the mobilePhone attribute in AAD

      1. Thanks for your reply. I cannot expose these numbers in AD, they have to remain confidential. Users will have to register themselves then…

        Thanks again.

  2. Hi,
    It’s not possible to use the mobile phone in “contact info” ? So that it’s not visible in on premise AD ?
    If the admin populate the phone number before and then use your script it will not work ?

  3. Hi,
    I only tested it with the default sync of the onPrem “mobile” attribute. That’s the way it works at my customer.
    Bad think (or in case of my customer exactly wants this) is that if you enable the methods and user has no mobile synced from OnPrem he cannot use MFA because he will be forced in conditional access to do so but no number is presented.

    To hide the number onPrem to users you can create a custom rule to sync the mobile phone number from a different AD attribute that is not showing to users by default. But do a extensive testing on that because you change a default rule and I cannot say if it will break anything

  4. Hi Peter,

    Thanks for your PowerShell. Our plan is to ask users to manually register their security info although many do have a mobile phone number already synced to Azure AD.

    Do you know if it is possible to have ‘Phone’ instead of ‘Authenticator app’ appear as the default method on the registration screen? I understand that Microsoft want to promote the app but for most users we want them to click “Choose security info > Phone” and set that up instead.

    Thanks, Ryan.

  5. Im trying to use your script in a foreach command when adding method to users, but im struggling with making it work. if i create a single user in the $upn variable, it works fine, but multiple, it just fails.

    foreach ($user in $upn){
    Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationMethods $methods
    }

    any ideas? it shouldnt be necessary to put it into files just for this purpose?

    1. i populated the array of users into $upn like in your script. so the users are in $upn array. if i manually add $upn=”firstname.lastname@domain.com” for 1 specific user it works, but an array of 100 + users in $upn, it doesnt work.

  6. Then the foreach will put each UPN in the array to the $user variable on every loop.
    So an -UserPrincipalName $user is what you need.

    My script by the way does not have an array of UPN its just a string

    1. i know, kept bugging me at first, since the blog refers to “bulk” populating the methods, but the script itself is only designed for 1 username at the time, so i was missing the bulk part… i’ll try the $user change and see how it goes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.