none
Azure AD B2B Multi Factor Authentication

    Question

  • I am Currently working on a project with azure AD b2b collaboration API. potential user sign up to my AD with their own email after having been sent an invitation from the API to their email. during the sign-up process they are asked to verify their email, which send then a 4 digit code to their email address (Which is kind of pointless considering I’ve already confirmed my email by being able to access the link?), and then they will get prompted to enter their phone number which they will be sent a code. I was Wondering how do I turn the Multifactor Authentication off so that the potential user does not have to enter their phone number for verification?<o:p></o:p>

    (I think that this may be a Microsoft Standard and it might not be configurable but though i would ask first)



    • Edited by jdavis649 Thursday, March 30, 2017 3:25 PM
    Thursday, March 30, 2017 3:22 PM

All replies

  • You can check the documentation on User States in Azure Multi-Factor Authentication.

    NOTE: All users start out disabled. When you enroll users in Azure MFA, their state changes enabled. When enabled users sign in and complete the registration process, their state changes to enforced.

    In the document, check the section titled: "To change the state from enabled/enforced to disabled"

    Using PowerShell would be an option for bulk enabling users. Currently there is no bulk enable feature in the Azure portal and you need to select each user individually. This can be quite a task if you have many users. By creating a PowerShell script using the following, you can loop through a list of users and enable/disable them.

    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
        $st.RelyingParty = "*"
        $st.State = “Disabled”
        $sta = @($st)
        Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements $sta

    Here is an example:

    $users = "bsimon@contoso.com","jsmith@contoso.com","ljacobson@contoso.com"
    foreach ($user in $users)
    {
        $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
        $st.RelyingParty = "*"
        $st.State = “Disabled”
        $sta = @($st)
        Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
    }


    Friday, March 31, 2017 9:58 AM
    Moderator