Automate AzureAD Multifactor Authentication Enrollment

Overview

This article covers how to automatically enroll users in your Azure AD environment with multi-factor authentication (MFA). This is achieved using Powershell and the Microsoft Graph API. The example will use SMS-based MFA. You can also use the Microsoft Authenticator app alongside SMS, but you cannot automate enrolling app-based MFA.

Requirements

• Account with Graph API permission UserAuthenticationMethod.ReadWrite.All
• List of users with UPN and phone numbers (example CSV below)
• Phone number format needs to be country code + phone number with no spaces
• ActiveDirectory Powershell module (for certain scenarios)

Example list of users

Connecting to MS Graph

Set-PSRepository -name PSGallery -InstallationPolicy Trusted
Install-module Microsoft.Graph.Identity.Signins -Scope CurrentUser
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
Select-MgProfile -Name beta

If successful, you should see Welcome to Microsoft Graph!

Add MFA method & add user to AD group (optional)

Import-Module ActiveDirectory

$csv = Import-CSV C:\temp\users.csv
foreach($row in $csv) {
  $upn = $row.upn
  $number = "+61" + $row.number

New-MgUserAuthenticationPhoneMethod -UserId $upn -phoneType "mobile" -phoneNumber $number

Add-ADGroupMember -Identity "MFA_Users" -members $row 

}

To confirm this worked, you can check using the command

Get-MgUserAuthenticationphoneMethod -userid user1@domain.com

Id                                   PhoneNumber    PhoneType SmsSignInState    
--                                   -----------    --------- --------------    
00000000-0000-0000-0000-000000000000 +61 0400123456 mobile    notAllowedByPolicy

More information

You can refer to the official Microsoft Graph API documentation for this cmdlet here.

Conclusion

Thanks for reading this article. I'm new to public technical writeups, and hope to grow through consistency, reading other blogs and receiving feedback.