Pre-Configure MFA to bypass MFA registration by end user
Issue Statement:
User accounts which are not configured with MFA are compromised. Now you decided to force MFA on all user accounts but there is a risk that the malicious user can perform 1st factor authentication and register for the 2nd factor with some spoofed contact numbers by going to https://aka.ms/mfasetup or https://aka.ms/securityinfo.
Resolution:
Pre-populate users phone details and pre-configure MFA using Admin Account so that end users do not have to do the registration. Below are the steps that you would need to perform for this purpose:
- Update users PhoneNumber and MobilePhone attributes.
- If user is cloud only, login to Azure Portal, search for the user in Azure AD, update user’s profile and supply these credentials.
- If it is synced user, you need to sync these attributes using Azure AD Connect.
- If you are creating a new user, use below cmdlets:
New-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -PhoneNumber '+91 94642XXXXX' -MobilePhone '+91 94642XXXXX' -DisplayName User -Password 'P@$$w0rd'
- Note: The password is a temp password and can be changed after successful 2nd factor Authentication once MFA is configured.
- Run below cmdlets:
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -StrongAuthenticationRequirements $sta
$sm = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm.IsDefault = $true
$sm.MethodType = "TwoWayVoiceOffice"
Set-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -StrongAuthenticationMethods @($sm)
Get-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com | select *
- Try to login to the Azure Portal or Office 365 apps using the new user account and notice that you will directly get a phone call rather than the MFA Registration page.