Pre-Configure MFA to bypass MFA registration by end user
User accounts which are not configured with MFA are compromised. Now you decided to force MFA on all user accounts but there is a risk that the malicious user can perform 1st factor authentication and register for the 2nd factor with some spoofed contact numbers by going to https://aka.ms/mfasetup or https://aka.ms/securityinfo.
Pre-populate users phone details and pre-configure MFA using Admin Account so that end users do not have to do the registration. Below are the steps that you would need to perform for this purpose:
- Update users PhoneNumber and MobilePhone attributes.
- If user is cloud only, login to Azure Portal, search for the user in Azure AD, update user’s profile and supply these credentials.
- If it is synced user, you need to sync these attributes using Azure AD Connect.
- If you are creating a new user, use below cmdlets:
New-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -PhoneNumber '+91 94642XXXXX' -MobilePhone '+91 94642XXXXX' -DisplayName User -Password 'P@$$w0rd'
- Note: The password is a temp password and can be changed after successful 2nd factor Authentication once MFA is configured.
- Run below cmdlets:
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -StrongAuthenticationRequirements $sta
$sm = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm.IsDefault = $true
$sm.MethodType = "TwoWayVoiceOffice"
Set-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -StrongAuthenticationMethods @($sm)
Get-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com | select *
- Try to login to the Azure Portal or Office 365 apps using the new user account and notice that you will directly get a phone call rather than the MFA Registration page.