Latest Posts

Implementing Multi-Factor Authentication Policies using PnP PowerShell

Posted on by Rishan Solutions

Loading

1. Introduction

Multi-Factor Authentication (MFA) is an essential security measure that adds an additional layer of protection to user sign-ins in Microsoft 365 and SharePoint Online. Using PnP PowerShell, administrators can:

Enable MFA for users and groups
Enforce conditional access policies
Monitor MFA usage and reports
Automate MFA configuration and enforcement

This guide will cover the step-by-step process to implement and manage MFA policies using PnP PowerShell.

2. Prerequisites

Before implementing MFA policies, ensure the following:

  • PnP PowerShell is installed Install-Module -Name PnP.PowerShell -Scope CurrentUser -Force
  • You have Global Admin or Security Admin permissions
  • Microsoft 365 Azure Active Directory Premium (for Conditional Access Policies)
  • Microsoft Entra ID (formerly Azure AD)

3. Understanding MFA in Microsoft 365

MFA requires users to verify their identity using at least two authentication methods:

Something they know (Password, PIN)
Something they have (Phone, Authenticator app)
Something they are (Fingerprint, Face ID)

MFA policies can be configured using PnP PowerShell, Microsoft Entra ID, and Conditional Access policies.

4. Connecting to Microsoft 365 with PnP PowerShell

Before enabling MFA, connect to Microsoft 365:

Connect-MgGraph -Scopes "User.ReadWrite.All", "Policy.ReadWrite.ConditionalAccess"
  • This connects to Microsoft Graph, which manages MFA settings.
  • You will be prompted to authenticate as a Global Admin.

To verify the connection:

Get-MgUser -Top 5 | Select DisplayName,UserPrincipalName

This lists the first 5 users in your Microsoft 365 tenant.

5. Enabling MFA for Users Using PnP PowerShell

To enable MFA for a specific user:

$User = "user@example.com"
Set-MsolUser -UserPrincipalName $User -StrongAuthenticationRequirements @(
    New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement -Property @{
        State = "Enabled"
        RelyingParty = "*"
    }
)
Write-Host "MFA Enabled for $User"

This enforces MFA for the specified user.

Enable MFA for All Users

To enable MFA for all users in the organization:

$Users = Get-MgUser -All | Where-Object { $_.UserType -eq "Member" }
foreach ($User in $Users) {
    Set-MsolUser -UserPrincipalName $User.UserPrincipalName -StrongAuthenticationRequirements @(
        New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement -Property @{
            State = "Enabled"
            RelyingParty = "*"
        }
    )
    Write-Host "MFA Enabled for $($User.DisplayName)"
}

This loops through all users and enables MFA for them.

6. Managing MFA Authentication Methods

A. List Users and Their MFA Status

To check which users have MFA enabled:

Get-MgUserAuthenticationMethod | Select-Object UserId, Methods

✔ This retrieves MFA authentication methods for all users.

B. Remove MFA for a User

To disable MFA for a user:

Set-MsolUser -UserPrincipalName "user@example.com" -StrongAuthenticationRequirements @()
Write-Host "MFA Disabled for user@example.com"

Removes MFA enforcement for the specified user.

7. Enforcing Conditional Access Policies for MFA

Conditional Access Policies allow MFA to be enforced based on risk conditions like:

🔹 Location-based MFA (Block access outside trusted locations)
🔹 Device-based MFA (Block access from unmanaged devices)
🔹 App-based MFA (Require MFA for certain apps like SharePoint)

A. Create a Conditional Access Policy for MFA

$PolicyName = "Require MFA for SharePoint"
$Condition = @{
    Applications = @{
        IncludeApplications = @("00000003-0000-0ff1-ce00-000000000000") # SharePoint Online App ID
    }
    Conditions = @{
        SignInRiskLevels = @("medium", "high")
    }
}
New-MgConditionalAccessPolicy -DisplayName $PolicyName -State "Enabled" -Conditions $Condition -GrantControls @{ Operator = "OR"; BuiltInControls = @("Mfa") }
Write-Host "Conditional Access Policy '$PolicyName' applied."

This enforces MFA for all SharePoint Online users with a medium/high sign-in risk.

8. Monitoring and Auditing MFA Usage

A. View Users Who Recently Signed in Using MFA

Get-MgAuditLogSignIn -Filter "AuthenticationRequirement eq 'mfa'"

Retrieves sign-in logs for users who used MFA.

B. Export MFA Users Report

$MFAUsers = Get-MgUserAuthenticationMethod | Where-Object { $_.Methods -match "mfa" }
$MFAUsers | Export-Csv -Path "C:\Reports\MFAUsers.csv" -NoTypeInformation
Write-Host "MFA Users report exported."

Exports a CSV report of users with MFA enabled.

9. Automating MFA Policy Enforcement

To automate the enforcement of MFA policies, schedule a PowerShell script.

A. Save the Script

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "Policy.ReadWrite.ConditionalAccess"

# Enforce MFA for all users
$Users = Get-MgUser -All
foreach ($User in $Users) {
    Set-MsolUser -UserPrincipalName $User.UserPrincipalName -StrongAuthenticationRequirements @(
        New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement -Property @{
            State = "Enabled"
            RelyingParty = "*"
        }
    )
}
Write-Host "MFA enforcement completed."

B. Schedule the Script

  1. Open Task Scheduler.
  2. Click Create Basic Task.
  3. Set Trigger (e.g., Daily at 12:00 AM).
  4. Set Action > Start a Program.
  5. Set Program/Script to powershell.exe.
  6. In Add Arguments, enter: -File "C:\Path\To\MFA-Enforce.ps1"
  7. Click Finish to enable automation.

Now, MFA policies are automatically enforced!

Leave a Reply

Your email address will not be published. Required fields are marked *