2 Ways to Enable MFA for your M365 Users

Enable MFA for your M365 Users
Logout sign icon

Why Enable MFA?

Need to Enable MFA for your M365 Users? Maybe it is for one one user or many users. A good example is for a security breach and you want to beef up security. Maybe you had security defaults turned off when you were getting prepared for MFA and now have to use the legacy interface to get your users enabled.

MFA makes good sense. It secures your logon so it is harder for an attacker to compromise you account. Unless you fall victim to an MFA fatigue attack, you are pretty safe. Also, if you enroll devices through Microsoft Endpoint you can further secure the user by wiping the device in the event of a compromise.

I will show you two ways on how to do this. The first way will be through the admin portal and the second way will be using PowerShell. Using PowerShell is a great way to enable MFA for your M365 Users through the use of a script.

Enable MFA for your M365 Users Using the M365 Admin Portal

In this case all you have to do is login to you Microsoft admin portal and go to active Users in the left hand pane of the page. Click on the Multifactor Authentication link ad you will see this screen:

Check the User(s) you want to enable MFA for and click “Enable” in the right pane. If you need to do this for only a few users, this is a good way to go. If you have many more to sign out, this is not a very efficient way. Thank goodness there is PowerShell…..

Enable MFA for your M365 Users Using PowerShell

The best feature of using PowerShell is its ability to automate pretty much any task you need to accomplish in M365. I have written several articles about it. In this case, you would need to run the Set-MsolUser command. As mentioned in the previous section if you need to do this for a few users you can also use this PowerShell command. However, if you need to run it for many users or your whole organization, you would need a CSV list of your users and a script that can loop through the list running the Set-MsolUser command.

If you need to run this command for many users, this example script will help:

Connect-MsolService

#Declare Variables

$CSVPathUPN = “C:\Files\Users.csv”

#Run Script

Write-Host Enabling MFA all users….

#Try import UPN CSV file

try {
$UPNUsers = import-csv $CSVPathUPN -ErrorAction stop
}
catch {
throw “Error importing CSV: $($_.Exception.Message)”
break
}

foreach ($UPNUser in $UPNUsers) {

$Uname = $UPNUser.UPName
$Dname = $UPNUser.displayName

$mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mf.RelyingParty = “*”
$mfa = @($mf)

Set-MsolUser -UserPrincipalName $UName -StrongAuthenticationRequirements $mfa

Write-Host Enabling MFA for $Dname ….

}

Write-Host Done Enabling MFA for All Users…

The above script takes a CSV file with field headings UPName and displayName, loads them into variables $Uname and $Dname and runs the the “for each” loop and runs the revoke command for each user in the list.

So now you have 2 ways to Enable MFA for your M365 Users depending on your situation.

Happy IT’ing

Dan

Avatar photo

I am an IT professional with over twenty years experience in the field. I have supported thousands of users over the years. The organizations I have worked for range in size from one person to hundreds of people. I have performed support from Help Desk, Network / Cloud Administration, Network Support, Application Support, Implementation and Security.

Pin It on Pinterest