ra2 studio - Fotolia


Configure Office 365 authentication with PowerShell

Admins can use this step-by-step process to configure MFA with Azure Active Directory Module for Windows PowerShell.

Multifactor Authentication is a must-have for services based in the cloud, especially for accounts with administrative...

purposes. We have already covered what Office 365 Multifactor Authentication is and how to configure it in Office 365 tenants with the Office 365 admin center, and we briefly showed the end user experience. Now we will look at how we can use the Azure Active Directory Module for Windows PowerShell to configure Office 365 authentication with MFA.

Azure Active Directory Module for Windows PowerShell (AADMPS) enables organizations to not only configure MFA for existing end users who use PowerShell, but also enhance their current provisioning process with MFA options. By pre-configuring MFA, administrators can prevent end users from having to go through the initial MFA setup process and use their currently configured mobile phone or office number for verification.

You'll need to download and install AADMPS before you can start using it and its PowerShell cmdlets. The module is available for x64, but there is also an x86 version.

After installation, you will have an extra shortcut called Windows Azure Active Directory Module for Windows PowerShell. This will start a PowerShell session with the module loaded. You could also import the module in an existing PowerShell session using Import-Module MSOnline.

The next step will be to connect to your Office 365 tenant using Connect-MsolService, providing valid administrator credentials.

Configure Office 365 Multifactor Authentication

To configure the Office 365 authentication for MFA, you need to define a strong authentication object:

$st= New-Object Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty= '*'

After that, enabling MFA for an end user with the User Principal Name [email protected] is as simple as:

Set-MsolUser –UserPrincipalName [email protected] –StrongAuthenticationRequirements @($st)

To disable MFA, use this cmdlet:

Set-MsolUser –UserPrincipalName [email protected]
–StrongAuthenticationRequirements @()

This will only enable Office 365 Multifactor Authentication for those end users, and they need to go through the MFA setup process when logging in. Administrators can also preconfigure MFA for specific contact methods. In those cases, we need to enhance the previous cmdlets as follows:

$st= New-Object
$st.RelyingParty= '*'
$st.State= 'Enforced'
In addition, we need to specify at least one strong authentication method object:
$m1 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $true
$m1.MethodType = "OneWaySMS"

These are some of the possible options for MethodType:

  • OneWaySMS: Text code to mobile phone number;
  • TwoWayVoiceMobile: Call my mobile phone;
  • TwoWayVoiceOffice: Call my office phone;
  • TwoWayVoiceAlternateMobile: Call an alternate mobile phone number;
  • PhoneAppOTP: Show a one-time password (OTP) in application; for example, a six-digit number;
  • PhoneAppNotification: Notify me through an app using in-app verification.

You will notice that when end users configure PhoneAppNotification, they will also have the PhoneAppOTP method configured by default, as well as fallback for situations when there is no data coverage. The OneWaySMS, TwoWayVoiceMobile and TwoWayVoiceOffice methods will use the currently configured mobile or office phone number attributes.

$m2 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $true
$m2.MethodType = "TwoWayVoiceMobile"

To enable end users for Office 365 authentication with MFA using these two contact methods, we configure the user object as follows:

Set-MsolUser–UserPrincipalName [email protected]
–StrongAuthenticationRequirements @($sta) –StrongAuthenticationMethods @($m1, $m2)

Over time, administrators may want to see MFA-enabled end users and what contact methods they've configured. MFA-enabled end users have their StrongAuthenticationRequirements attribute configured. When they've configured their MFA method, the StrongAuthenticationMethods attribute contains the configured method. With this knowledge, we can construct a cmdlet to get a list of MFA-enabled users and the configured methods (Figure 1):

Get-MsOlUser | Where {$_.StrongAuthenticationRequirements} | Select
UserPrincipalName, @{n="MFA"; e={$_.StrongAuthenticationRequirements.State}}, @{n="Methods";
cmdlets for Office 365 MFA
Figure 1

MFA-enabled administrators have browser-only access. One of the important applications not supporting MFA yet is the PowerShell module, but native support is planned for the later part of 2014. Until that time, MFA-enabled administrators are required to use the Office 365 admin center for only regular management tasks. To run PowerShell cmdlets or scripts in their tenant, administrators should create and use a special-purpose account with a strong password, leaving MFA disabled.

About the author: 
Michel de Rooij is a consultant and Exchange MVP from the Netherlands. Michel started originally as a developer back in 1994 but quickly switched to infrastructure-related projects and started focusing on Exchange in 2004, covering a number of areas, including migrations, transitions, consolidation and disentanglement. Besides Exchange, Michel's other areas of interest are PowerShell, Active Directory, Lync and messaging in general. Michel is a contributor to The UC Architects podcast theucarchitects.com and blogs about Exchange and related subjects at eightwone.com.

Next Steps

Be sure to visit part one of this series, which introduces Office 365 Multifactor Authentication. The article includes how to configure MFA in Office 365 tenants with the Office 365 admin center as well as a brief look at the end user experience.

Dig Deeper on Office 365 and Microsoft SaaS setup and management