maxkabakov - Fotolia


Azure AD PowerShell supports MFA to protect authentication

The preview of the Azure AD PowerShell module flexes its muscles by supporting MFA and device management.

Microsoft released PowerShell support for multifactor authentication and device management for Azure Active Directory, making every IT admin who manages resources in AD smile.

Previously, multifactor authentication (MFA) was only available to Office 365 administrators from PowerShell. These two features of the Azure AD PowerShell module -- in public preview as of October 20, 2015 -- further securely authenticate administrators and allow them to incorporate Azure AD device management tasks into their automation.

Let's go over each of these features, what they mean for the AD administrator going forward and how to use each one.

Multifactor authentication support

A single password isn't enough to properly authenticate a human being. With reports of data breaches so prevalent these days, it sometimes seems that no password is safe -- regardless of how complicated you try to make it.

MFA mitigates the old tried and true password's security vulnerability by preventing a single string of characters in a password to confirm you are who you say you are. MFA forces us to reply to an IM or a text, for example, to say "Yes, I have this password and I also have a trusted device. See? I proved it to you." This method prevents attackers from stealing our passwords and using them to authenticate as us.

With MFA support in the Azure AD PowerShell module, administrators can now rest easy: even if their password is compromised, they're still covered because now the Azure AD PowerShell module forces you to provide a code delivered via text message. Chances are the attacker doesn't have the end user's trusted device handy as well as the passcode.

If you're an IT administrator who wants to use this new authentication feature, you first must ensure you have enabled MFA for your account; it's safer for end users to enable MFA on their own accounts. Also, you'll need to ensure any older versions are removed. Then, download and install the module. If you're still on a 32-bit OS, you're out of luck -- Microsoft only provides a 64-bit version, although it is looking for feedback to gauge the demand.

Launch the AdministrationConfig.msi file and step through the install instructions.  You can accept all the defaults. If all goes well, you will see the familiar Finish button. After installing, ensure it shows up in your PowerShell console.

You'll have a module called MSOnline with various commands available to you. As a test to ensure you have the new module, check if you have Get-MsolDevice. If so, you've got the latest public preview.

To initiate a connection, run Connect-MsolService. You should receive a graphical box asking for credentials (Figure 1).

MFA in Azure AD.
Figure 1: Enter your credentials in this box to begin working with MFA for Azure AD.

Once you input your credentials -- and this is the first time you've used MFA with your account -- the program will prompt you to verify your account. If you don't get a verification box and are immediately authenticated, then the email you provided was not enabled for MFA.

PowerShell device management

The Azure AD PowerShell module also allows admins to manage devices. The new module came with four new cmdlets: Get-MsolDevice; Enable-MsolDevice; Disable-MsolDevice and Remove-MsolDevice.

It's always a good idea to start with the Get cmdlets in PowerShell. The Get cmdlet only reads information, so it's typically harmless. For example, I have an account called [email protected] If I need to find all of the devices registered to this user, I'd use the RegisteredOwnerUpn parameter:

Get-MsolDevice –RegisteredOwnerUpn [email protected]

This would output a number of different properties, one being DeviceID. This is a unique identifier that represents that device in AD. The ID gives you a unique target to enable, disable or remove as you see fit.

Perhaps a device was lost and you'd like to disable it. You would use Disable-MsolDevice with the DeviceID parameter. For example, perhaps the device ID returned from the Get-MsolDevice command is a7892334-730b-4d49-bd13-54c2a4928009. Pass this ID as a parameter to Disable-MsolDevice:

Disable-MsolDevice –DeviceId a78b2534-740b-7d59-ba23-455jjks8921s

If you decided to enable it again after it was found, use Enable-MsolDevice:

Enable-MsolDevice –DeviceId a78b2534-740b-7d59-ba23-455jjks8921s

Finally, if you want to remove it completely, use Remove-MsolDevice with the same DeviceID parameter as the other cmdlets:

Remove-MsolDevice –DeviceId a78b2534-740b-7d59-ba23-455jjks8921s

This increased functionality in the Azure AD PowerShell module only gets us one step closer to be able to fully manage the Azure portals in PowerShell. Once we get all of the capabilities of the portals inside of the PowerShell module, admins will have full control without ever having to leave the command line.

Savvy IT administrators consistently looking for new ways to save time and money through automation are going to love this new feature set.

About the author:
Adam Bertram is an independent thinker, consultant and entrepreneur. He's passionate about solving technical problems through automation and sharing his knowledge with the world. This passion has led Adam to become a Microsoft Powershell MVP, a 2015 PowerShell hero, Pluralsight and Udemy training course author, a presenter and technology writer for both print and online tech publications.

Next Steps

Save time and connect to Office 365 from PowerShell

Building Exchange in Azure or Office 365

Configure Alternate Login ID for ADFS users

Dig Deeper on Exchange Server setup and troubleshooting