none
Bulk Active MFA in Office365 with exceptions RRS feed

  • Question

  • Hi, I recently activated MFA for Office365 authentication, I could'nt actívate to all organization because we needed some exceptions and some domains to stay with out it. So the only available way was doing it using a bulk update using a CSV file, but in my casethat didn't work beacuse I have 5000+user and the webpage timed out.

    So finally I found an script and modified it to fit my needs:

    $mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $mf.RelyingParty = "*"
    $mfa = @($mf)
    Get-MsolUser -All -DomainName "mydomain.com" | Where-Object {$($_.licenses).accountskuid -eq "mydomaincom:STANDARDWOFFPACK_IW_STUDENT"} | Set-MsolUser -StrongAuthenticationRequirements $mfa

    So I just change mydomain with any domain or subdomain and I activate the MFA to everybody.

    After that I had to go to a bucnh of accounts and manually deactivate the  MFA

    So now I need a way to do this or modify the above script to add the expetions so every timae I run it I dont re enable the MFA for the accounts that I already disabled.

    Any body has any ideas?

    Thank you!

    • Moved by Manu Meng Friday, March 15, 2019 6:59 AM relocate
    Thursday, March 14, 2019 3:09 PM

Answers

  • Jus in case anyone is interested on the sollution, this is what I did.

    I entered a specific word on an AD Attribute just for the purpose of filtering, in my case I used the word "nomfa" on the postal code attribute, then I do a search of all users that doesn´t have that attribute and that doesn't already have the MFA enabled and enable them.

    Connect-MsolService
    $mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $mf.RelyingParty = "*"
    $mfa = @($mf)
    Get-MsolUser -All -DomainName "mydomain.com" | Where-Object {$_.StrongAuthenticationRequirements.State -eq $NULL -and $_.islicensed -eq $True -and $_.PostalCode -ne "nomfa"} | Set-MsolUser -StrongAuthenticationRequirements $mfa


    Thanks for the suggestions

    Thursday, May 16, 2019 2:00 PM

All replies

  • Basically you could read in a list of exceptions into an object, then for each MsolUser compare against the list and skip the ones in the list.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, March 14, 2019 10:44 PM
  • Hi Gustavo,

    Ed shared some good points, you may base on what he said to write your scripts.

    Besides, since it is an Exchange Development related question, I will help you move the thread to its specialized forum: Exchange Server Development forum.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 15, 2019 6:56 AM
  • Jus in case anyone is interested on the sollution, this is what I did.

    I entered a specific word on an AD Attribute just for the purpose of filtering, in my case I used the word "nomfa" on the postal code attribute, then I do a search of all users that doesn´t have that attribute and that doesn't already have the MFA enabled and enable them.

    Connect-MsolService
    $mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $mf.RelyingParty = "*"
    $mfa = @($mf)
    Get-MsolUser -All -DomainName "mydomain.com" | Where-Object {$_.StrongAuthenticationRequirements.State -eq $NULL -and $_.islicensed -eq $True -and $_.PostalCode -ne "nomfa"} | Set-MsolUser -StrongAuthenticationRequirements $mfa


    Thanks for the suggestions

    Thursday, May 16, 2019 2:00 PM