question

EavenHuang avatar image
0 Votes"
EavenHuang asked ClementBETACORNE edited

powershell to enforce MFA for new users

Dear Experts,

I was looking for a PowerShell script where we can run to enforce those users who were created in recent hours, maybe within 24 hours?
We don't want to enforce MFA for all exiting users but it needs to be applied to the new users who are coming.

We are using AAD free version, hybrid env where users were synchronized from our on-premises AD.
My idea was to use Task Scheduler to run this powershell script so everyday it helps to enforce MFA for those users that were created within this day.

Any advice would be really appreciated.

windows-server-powershell
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered EavenHuang commented

Hello,

Below a script that can help you achieve what you want. It can be improved for example to search only a specific OU if your Azure AD Connect is only synchronizing specific OUs :

 function Set-MfaState {
     [CmdletBinding()]
     param(
         [Parameter(ValueFromPipelineByPropertyName=$True)]
         $ObjectId,
         [Parameter(ValueFromPipelineByPropertyName=$True)]
         $UserPrincipalName,
         [ValidateSet("Disabled", "Enabled", "Enforced")]
         $State
     )
    
     Process {
         Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
         $Requirements = @()
         if($State -ne "Disabled") {
             $Requirement = [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
             $Requirement.RelyingParty = "*"
             $Requirement.State = $State
             $Requirements += $Requirement
         }
    
         Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName -StrongAuthenticationRequirements $Requirements
     }
 }
    
    
 $ADUsers = Get-ADUser -Filter * -Properties WhenCreated | Where-Object {$_.WhenCreated -gt ([DateTime]::Today)}
 if ($ADUsers -ne $null) {
     Connect-MsolService
     foreach($ADUser in $ADUsers) {
         $AzureADUser = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName
         if($AzureADUser -ne $null) {
             Set-MfaState -ObjectId $AzureADUser.ObjectId -UserPrincipalName $AzureADUser.UserPrincipalName -State Enabled
         }
     }
 }

You will need the MSOnline module and the Active Directory Module

Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dear @ClementBETACORNE,

Thanks so much for sharing the script which works just perfect! I do find a minor issue that every time I tried to run this script, a window popped up asking me to input the credentials for using Connect-MsolService. Any idea we can skip this part or keep the credentials somewhere so it won't stop at this step?

Since I'm thinking about using Task Scheduler to run this script, this kind of window will stop it from running.
Thanks again.

175724-mfa-login.png


0 Votes 0 ·
mfa-login.png (52.0 KiB)
ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered ClementBETACORNE edited

Hello,

You can add at line 26 these lines :

 $password = ConvertTo-SecureString 'MySecretPassword' -AsPlainText -Force
 $credential = New-Object System.Management.Automation.PSCredential ('xxx@contoso.com', $password)

You can add this parameter to Connect-MsolService -Credential $credential

Regards,

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dear @ClementBETACORNE,

Thanks for your help! To my understanding, so this password will be saved as plain text in the script, right?

0 Votes 0 ·

Yep, I'm trying to find another way by using service principals

0 Votes 0 ·

Hello @EavenHuang ,

After some check you won't be able to use service principal with the Connect-MsolService but you can encrypt the credential in order to secure a little your script.
Below some article regarding this subject :
https://www.altaro.com/msp-dojo/encrypt-password-powershell/

You will have to store the encrypted form in a file and use this file in your script

 (get-credential).password | ConvertFrom-SecureString | set-content "C:\Passwords\password.txt"

You don't have to put what is above in your script
Below what you will need to add :

 $password = Get-Content "C:\Passwords\password.txt" | ConvertTo-SecureString 
 $credential = New-Object System.Management.Automation.PsCredential("xxx@contoso.com",$password)



0 Votes 0 ·