Issue Statement:

User accounts which are not configured with MFA are compromised. Now you decided to force MFA on all user accounts but there is a risk that the malicious user can perform 1st factor authentication and register for the 2nd factor with some spoofed contact numbers by going to https://aka.ms/mfasetup or https://aka.ms/securityinfo.

Resolution:

Pre-populate users phone details and pre-configure MFA using Admin Account so that end users do not have to do the registration. Below are the steps that you would need to perform for this purpose:

  1. Update users PhoneNumber and MobilePhone attributes.
    • If user is cloud only, login to Azure Portal, search for the user in Azure AD, update user’s profile and supply these credentials.
    • If it is synced user, you need to sync these attributes using Azure AD Connect.
    • If you are creating a new user, use below cmdlets:
      New-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -PhoneNumber '+91 94642XXXXX' -MobilePhone '+91 94642XXXXX' -DisplayName User -Password 'P@$$w0rd'
    • Note: The password is a temp password and can be changed after successful 2nd factor Authentication once MFA is configured.
  2. Run below cmdlets:
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)
    Set-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -StrongAuthenticationRequirements $sta
    $sm = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
    $sm.IsDefault = $true
    $sm.MethodType = "TwoWayVoiceOffice"
    Set-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -StrongAuthenticationMethods @($sm)
    Get-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com | select *
  3. Try to login to the Azure Portal or Office 365 apps using the new user account and notice that you will directly get a phone call rather than the MFA Registration page.

Leave a Reply

Your email address will not be published. Required fields are marked *