I cannot test this myself, so first try it out on a group of test users:
$cred = Get-Credential
Import-Module MSOnline
Import-Module ActiveDirectory
Connect-MsolService –Credential $cred
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
Get-ADGroupMember -Identity 'Company Administrators' | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object {
$upn = Get-ADUser $_.SamAccountName | Select-Object -ExpandProperty UserPrincipalName
$mfa = Get-MsolUser -UserPrincipalName $upn | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $upn"
Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements @($requirement)
}
else {
Write-Host "MFA is already enforced for user $upn"
}
}
Alternative code using Get-MsolRole
and Get-MsolRoleMember
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
$roles = Get-MsolRole -RoleName "Company Administrators"
foreach ($role in $roles) {
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $($_.DisplayName)"
Set-MsolUser -ObjectId $_.ObjectId -StrongAuthenticationRequirements @($requirement)
}
else {
Write-Host "MFA is already enforced for user $($_.DisplayName)"
}
}
}
UpdateIf all you really need is a report of who is in the "Company Administrators" group and their MFA ststus, the code can be much simpler:
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
$roles = Get-MsolRole -RoleName "Company Administrators"
$result = foreach ($role in $roles) {
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0) { $status = 'Disabled' } else { $status = $mfa[0].State }
[PsCustomObject]@{
'UserName' = $_.DisplayName
'EmailAddress' = $_.EmailAddress
'MFA_Status' = $status
}
}
}
$result | Format-Table -AutoSize
$result | Export-Csv -Path 'X:\CompanyAdministrators.csv' -NoTypeInformation -Force
john.doe@somecompany.com
that have UserPrincipalNamejdoe@somecompany.com
. The code should IMO always check usingGet-ADUser
to obtain the real UserPrincipalName to use withGet-MsolUser
andSet-MsolUser
. You can also use theObjectId
instead ofUserPrincipalName
for those cmdlets. P.S. theGet-MsolRoleMember
returns an array of role member objects, hence theforeach{..}
loop. - Theo