Enable MFA on all global admins in customers’ Office 365 Tenants

Enable MFA on all global admins in delegated Office 365 tenants

At Microsoft Ignite this year, it was revealed that less than 2% of all global admins in Office 365 had multi-factor authentication (MFA) enabled. It was also reported that MFA can reduce account compromises by 99.9%.

If you’re a Microsoft Partner looking after a number of tenants, it’s likely you have administrators set up in customer environments to perform tasks that can’t be achieved via delegated administration (eg. Converting mailboxes to Shared). It’s also possible that many of these admins aren’t setup with MFA.

The following scripts can help enable MFA on these accounts so that you or your technicians will be forced to configure MFA on the next logon. I’ve also included a script that you can use to block these accounts until you’re ready to unblock them and complete MFA registration.

How to run these scripts to enable MFA for admins in your customers’ Office 365 tenants

  1. Double click on a script below to select it all
  2. Copy and paste it into Visual Studio Code and save it as a .ps1 file
  3. Install the recommended PowerShell extension if you haven’t already
  4. Run it by pressing F5

 

Retrieve a list of all Office 365 customers’ global admins without multi-factor authentication

This script will retrieve all global administrators in customer tenants that don’t have multi-factor authentication enabled or enforced, and export them to a CSV at C:\temp\nonMFAAdmins.csv.

Once exported, you can edit the CSV to exclude any admins that you don’t want to input into the next script.

Connect-MsolService

$customers = Get-MsolPartnerContract
$role = Get-MsolRole | Where-Object {$_.name -contains "Company Administrator"}
foreach($customer in $customers){
    
    $users = Get-MsolUser -TenantId $customer.tenantid
    $admins = Get-MsolRoleMember -TenantId $customer.tenantid -RoleObjectId $role.objectid

    foreach($admin in $admins){
        $adminuser = $users | Where-Object {$_.userprincipalname -contains $admin.emailaddress}
        if($adminuser){
            if($adminuser.strongauthenticationrequirements.state -notcontains "Enforced" -and $adminuser.strongauthenticationrequirements.state -notcontains "Enabled"){
                Write-Host "No MFA enabled for $($adminuser.userprincipalname)"
                $adminuser | Add-Member TenantId $customer.tenantid
                $adminuser | Add-Member CustomerName $customer.name
                $adminuser | Select-Object TenantId,CustomerName,DisplayName,UserPrincipalName,islicensed,@{n="MFAStatus";e={$_.strongauthenticationrequirements.state}} | export-csv C:\temp\nonMFAAdmins.csv -NoTypeInformation -Append

            }else{
                Write-Host "MFA enabled for $($adminuser.userprincipalname)" -ForegroundColor Green
            }
        }
    }
}

 

Enable multi-factor authentication on admins in customer’s Office 365 tenants

This script will import the exported administrators from the previous script and set the multi-factor authentication status to Enabled. Once complete, these admins will prompt you to complete the MFA registration process on the next logon.

I’ve set a condition on this script to only enable MFA on unlicensed global admins. If you want to enable MFA on licensed global admins, you can remove or modify the if statement within the foreach loop.

Before running this script, you should review the exported CSV from the previous script to ensure you are not enabling MFA on any service accounts that do not support MFA.

Once this script has completed, a list of admins with MFA enabled will be exported to another CSV at C:\temp\MFAEnabledAdmins.csv.

You can edit this exported CSV to exclude any admins that you don’t want to input into the next script.

Connect-MsolService
$admins = Import-csv C:\temp\nonMFAAdmins.csv

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = "*"
$auth.State = "Enabled"
$auth.RememberDevicesNotIssuedBefore = (Get-Date)

foreach ($admin in $admins) {

    if ($admin.IsLicensed -eq "FALSE") {
        Write-Host "Enabling MFA for $($admin.userprincipalname)" -ForegroundColor Green
        Set-MsolUser -UserPrincipalName $admin.userprincipalname -StrongAuthenticationRequirements $auth -TenantId $admin.tenantid
        $state = (get-msoluser -TenantId $admin.tenantid -UserPrincipalName $admin.UserPrincipalName).StrongAuthenticationRequirements.state
        $admin.MFAStatus = $state
        $admin | export-csv C:\temp\adminMFAStatus.csv -NoTypeInformation -append
    }
    else {
        Write-Host "Not Enabling MFA for $($admin.userprincipalname)" -ForegroundColor Red
        $admin | export-csv C:\temp\MFAEnabledAdmins.csv -Append -NoTypeInformation
    }
}

 

Block admins in customer tenants until multi-factor authentication can be registered

Now that MFA is enabled, anyone who has the admin password can complete multi-factor registration on the next logon.

If you’d like to prevent access to these users until one of your team is ready to configure MFA, you can run the following script. This will block these admins until you’re ready to configure MFA. You can unblock these users via PowerShell or the Office 365 portal.

Before running this script, you should review the exported CSV from the previous script to ensure you are not blocking any required accounts.

Connect-MsolService
$admins = Import-csv C:\temp\MFAEnabledAdmins.csv

foreach($admin in $admins){
    Write-Host "Blocking $($admin.userprincipalname)"
    Set-Msoluser -tenantid $admin.tenantid -userprincipalname $admin.userprincipalname -blockcredential $true
}

 

Disable multi-factor authentication for a single user using delegated administration

If you’d like to clear the MFA settings configured by this script for a particular account, you can do so using the following cmdlet:

Set-MsolUser - TenantId CustomerTenantid -userprincipalname [email protected] -StrongAuthenticationRequirements $null

 

Disable multi-factor authentication on all admins in the exported CSV

If you want to undo the changes from an earlier script, you can edit and run the following:

Connect-MsolService
$admins = Import-csv C:\temp\MFAEnabledAdmins.csv
foreach($admin in $admins){
    Write-Host "Clearing MFA for  $($admin.userprincipalname)"
    Set-Msoluser -TenantId $admin.tenantid -UserPrincipalName $admin.userprincipalname -StrongAuthenticationRequirements $null
}

Was this article helpful?

Related Articles