We’ve recently had a client who was breached because a long-term brute force spray password attack eventually correctly guessed and administrators password. This breach should have been avoided by the company ensuring that all of its users were using multi factor authentication.

By default new accounts are required to have multi factor authentication but you can turn that off or on:

https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsSettings



How To Disable MFA For Specific Users

mfa keeps you safe from hackers

There are however situations in which you need to disable multi factor authentication for specific users. for instance service accounts that are used on many devices like photocopiers cannot use two factor authentication.

If you want to disable two factor authentication for Microsoft 365 and azure surf to this URL, select the user in question, and set them to disabled.

https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365#


how to disable mfa for a specific user in Azure and m365

How To Export a List of Users That Are Not Using MFA?

This PowerShell script will export the key fields and tell you if MFA is setup for each user:

# Import the required module
Import-Module MSOnline

# Get your tenant credentials
$credential = Get-Credential

# Connect to your tenant
Connect-MsolService -Credential $credential

# Get all users
$users = Get-MsolUser -All

# Select required properties and add new ones for Account Status, MFA Status, UPN
$userProperties = $users | Select-Object @{
    Name = "Account Status"
    Expression = {
        if ($_.BlockCredential) {
            "Disabled"
        } else {
            "Enabled"
        }
    }
}, @{
    Name = "MFA Status"
    Expression = {
        if ($_.StrongAuthenticationMethods.Count -eq 0) {
            "Disabled"
        } else {
            "Enabled"
        }
    }
}, DisplayName, FirstName, LastName, UserPrincipalName

# Sort users by DisplayName
$sortedUsers = $userProperties | Sort-Object DisplayName

# Export users to a CSV file
$sortedUsers | Export-Csv -Path "C:\temp\MfaDisabledUsers.csv" -NoTypeInformation

This script does the following:

  1. Connects you to the M365 / Azure Tenent
  2. Retrieves all users.
  3. Selects the required properties and adds new ones for Account Status, MFA Status, and UPN.
  4. Sorts the users by DisplayName.
  5. Exports the sorted users to a CSV file at the specified path. The -NoTypeInformation parameter is used to prevent the output of type information to the CSV file. This makes the CSV output cleaner and easier to read.

At this point you can open the CSV file using Excel and then filter the MFA status and the account enabled status so you are only dealing with the accounts that are active but do not have multi factor authentication.

Note that you can see if an individual user is setup for MFA by surfing to Azure ENTRA ID > USERS > select a USER > AUTHENTICATION METHODS

https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsSettings


azure mfa setup


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *