A few weeks in the past a good friend of mine requested wouldn’t it be attainable to pre-register MFA for customers in Azure AD. For brief, sure it’s!
On this weblog, I’ll present learn how to pre-register OTP and SMS MFA strategies utilizing AADInternals’ Register‑AADIntMFAApp and Set‑AADIntUserMFA.
When deploying customers to Azure AD, one can present the fundamental person info, together with the password. These days, when MFA is (hopefully) required in most organisations,
pre-registering MFA would make it simpler for customers to begin utilizing Microsoft cloud companies.
Additionally, when deploying customers for trainings or demos, pre-registered MFA would take away one further step from the customers.
There are numerous methods to deploy customers, one may use the Azure AD portal or one of many many PowerShell module choices.
To pre-register MFA, the person deployment methodology doesn’t matter, so long as we all know the customers’ username and password.
The next script examples will use customers.csv file as an enter. The file will need to have the next columns populated:
| Column | Description |
|---|---|
| Username | UPN of the person |
| Password | Password of the person (complexity necessities) |
MSOnline module
The next script will present customers utilizing MSOnline module.
# Connect with MSOnline
Join-MsolService
# Learn usernames from a .csv file
$customers = Import-Csv -Path .customers.csv
# Deploy customers
foreach($person in $customers)
{
# Extract the title from UPN
$title = $person.Username.Cut up("@")[0]
# Deploy the person
New-MsolUser -UserPrincipalName $person.Username -DisplayName $title -PasswordNeverExpires $true -ForceChangePassword $false
}AzureAD module
The next script will present customers utilizing AzureAD module.
# Connect with AzureAD
Join-AzureAD
# Learn usernames and passwords from a .csv file
$customers = Import-Csv -Path .customers.csv
# Deploy customers
foreach($person in $customers)
{
# Create a password profile
$passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Mannequin.PasswordProfile
$passwordProfile.Password = $person.Password
$passwordProfile.EnforceChangePasswordPolicy = $false
$passwordProfile.ForceChangePasswordNextLogin = $false
# Extract the title from UPN
$title = $person.Username.Cut up("@")[0]
# Deploy the person
New-AzureADUser -UserPrincipalName $person.Username -DisplayName $title -MailNickName $title -AccountEnabled $true -PasswordProfile $passwordProfile
}MgGraph Module (Microsoft Graph PowerShell SDK)
The next script will present customers utilizing MgGraph module.
# Import AADInternals and get entry token to MgGraph (so no want to offer consent to MgGraph app)
Import-Module AADInternals
$at = Get-AADIntAccessTokenForMSGraph
# Connect with MgGraph
Join-MgGraph -AccessToken $at
# Learn usernames and passwords from a .csv file
$customers = Import-Csv -Path .customers.csv
# Deploy customers
foreach($person in $customers)
{
# Create a password profile
$passwordProfile = @{
Password = $person.Password
ForceChangePasswordNextSignIn = $false
}
# Extract the title from UPN
$title = $person.Username.Cut up("@")[0]
# Deploy the person
New-MgUser -UserPrincipalName $person.Username -DisplayName $title -MailNickName $title -AccountEnabled -PasswordProfile $passwordProfile
}OTP
The next script will deploy a brand new OTP app for the given customers and saves the OTP secret to a .csv file.
The script beneath is utilizing a customers.csv file as an enter. The .csv file will need to have the next columns deployed:
| Column | Description |
|---|---|
| Username | UPN of the person |
| Password | Password of the person |
The script is utilizing Register-AADIntMFAApp operate to register a brand new OTP app to every person.
This will take as much as 30 seconds per person. You need to use -Verbose change to see what’s taking place under-the-hood.
The OTP secret will likely be saved within the customers.csv in OathSecretKey column. The key can then be utilized in authenticator apps, like Microsoft Authenticator and Google Authenticator.
# Import AADInternals
Import-Module AADInternals
# Learn usernames and passwords from a .csv file
$customers = Import-Csv -Path .customers.csv
# Deploy MFA
foreach($person in $customers)
{
# Create PSCredentials object
$creds = [pscredential]::new($person.Username,($person.Password | ConvertTo-SecureString -AsPlainText -Drive))
# Get entry token for MySignins
$at = Get-AADIntAccessTokenForMySignins -Credentials $creds
attempt
Add-Member -NotePropertyName "OathSecretKey" -NotePropertyValue $outcome.OathSecretKey
catch{}
}
# Export to a .csv file
$customers | Export-Csv -Path .customers.csvThe ensuing .csv file have the next columns:
| Column | Description |
|---|---|
| Username | UPN of the person |
| Password | Password of the person |
| OathSecretKey | OTP secret for use with authenticator apps |
SMS
The next script will set MFA telephone quantity and choose SMS because the default MFA methodology for the given customers.
Observe: This script is utilizing AADGraph API, which is scheduled to be deprecated by June 30, 2023.
The script beneath is utilizing a customers.csv file as an enter. The .csv file will need to have the next columns deployed:
| Column | Description |
|---|---|
| Username | UPN of the person |
| PhoneNumber | Telephone variety of the person in format “+CCC NNNNNNN” the place CCC is the nation code and NNNNNNN the phonenumber with out the main zero. |
The script is utilizing Set-AADIntUserMFA operate to set MFA telephone variety of every person and choose SMS because the MFA methodology.
# Import AADInternals
Import-Module AADInternals
# Get entry token
Get-AADIntAccessTokenForAADGraph -SaveToCache
# Learn usernames and passwords from a .csv file
$customers = Import-Csv -Path .customers.csv
# Deploy MFA
foreach($person in $customers)
{
attempt
{
# Set the telephone quantity and the default MFA methodology
Set-AADIntUserMFA -UserPrincipalName $person.Username -PhoneNumber $person.PhoneNumber -DefaultMethod OneWaySMS
}
catch{}
}AADInternals can be utilized to automate pre-registering OTP and SMS MFA strategies for customers.
AADInternals will “confirm” the OTP app routinely, so it may be used proper after registration (in addition to SMS methodology).
+ There are no comments
Add yours