PowerShell is fun :)Adding Mobile Phone Authentication method for Azure AD Multi-Factor Authentication using PowerShell

One of our customers is switching from Mobile Iron to Endpoint Manager for their mobile devices, which is a good choice :). After retiring the device, Mobile Iron removes the managed Authenticator app from the device. Microsoft Endpoint manager pushes it back to the device again, but… The iCloud backup options were not set/managed, and users had to add their account back which requires MFA. Which they can’t do because only the Authenticator app was registered (Mobile app code) and no recovery email or mobile phone number. But the mobile phone numbers were set on most users in Active Directory in the past and were synced to Azure AD. This blog post describes how you can add those numbers to the affected users so that they can use the recovery option and won’t have to contact the ServiceDesk 🙂

Table Of Contents

show

Microsoft Graph permissions
How the script works
The script
More Get/New-MgUserAuthentication cmdlets

Microsoft Graph permissions

Setting user authentication methods can be done using Microsoft Graph. This article describes how https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings. Your account needs enough permissions to set these options. This can be checked using Graph Explorer and browsing to (change objectid to one of the affected users): microsoftAuthenticatorMethods. Check the Modify permissions tab and consent to all four UserAuthenticatonMethod items.

Also, verify if your account has enough permissions to read all users, browse to the users URL and verify if consent was given to User.Read.All.

How the script works

After configuring the needed permissions, (When connecting, it also prompts for the permissions in an admin consent prompt, but that doesn’t seem to work every time, or I need to have some more patience 😀 ), the script connects to the tenant with the two scopes it needs to add the mobile phone number to the account. (UserAuthenticationMethod.ReadWrite.All and User.Read.All) and connects to the beta endpoint for the Graph API queries. It then searches for all users and skips the external accounts because the customer doesn’t add phone numbers to those users. It then loops through those users and searches for users who registered for MFA but don’t have a mobile phone number added as an authentication method. If the user has a mobile phone number registered, it will add it as an authentication method, and if not… It will output that in red 🙂

The script

This is the script, copy and run it, connect with an admin account with enough permissions, and check the output on your screen.

#Used https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings for the method of setting a mobile number for MFA 
#Check if necessary modules are installed, install missing modules if not
if (-not ((Get-Module Microsoft.Graph.Authentication, Microsoft.Graph.Identity.Signins, Microsoft.Graph.Users -ListAvailable).count -ge 3)) {
    Write-Warning ("One or more required modules were not found, installing now...")
    try {
        Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Identity.Signins, Microsoft.Graph.Users -Confirm:$false -SkipPublisherCheck -Scope CurrentUser -ErrorAction Stop
    }
    catch {
        Write-Warning ("Error installing required modules, exiting...")
        return
    }
}
else {
    try {
        Import-Module Microsoft.Graph.Authentication, Microsoft.Graph.Identity.Signins, Microsoft.Graph.Users -ErrorAction Stop
    }
    catch {
        Write-Warning { "Error importing required modules, exiting..." }
        return
    }
}

# Connect to tenant, make sure your account has enough permissons in Microsoft Graph
# Use https://developer.microsoft.com/en-us/graph/graph-explorer to grant permissions 
# in https://graph.microsoft.com/v1.0/users/objectid/authentication/microsoftAuthenticatorMethods
# and https://graph.microsoft.com/v1.0/users/
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All, User.Read.All -NoWelcome

# Loop through the users (No guest accounts) who have registered MFA without a recovery phonenumber
# and add it if a mobile phone number is present in Azure AD for the user.
# The ID 28c10230-6103-485e-b985-444c60001490 is filtered because it's the standard Password.
foreach ($user in Get-MgBetaUser -All | Where-Object UserPrincipalName -NotMatch '#EXT#') {
    if ($null -ne (Get-MgBetaUserAuthenticationMethod -UserId $user.UserPrincipalName | Where-Object ID -ne 28c10230-6103-485e-b985-444c60001490) `
            -and $null -eq (Get-MgBetaUserAuthenticationPhoneMethod -UserId $user.UserPrincipalName)) {
        if ($null -ne $user.MobilePhone) {
            Write-Host "$($user.UserPrincipalName) has registered MFA but has no mobile phone Authentication Method, adding $($user.MobilePhone) now" -ForegroundColor Green
            New-MgBetaUserAuthenticationPhoneMethod -UserId $user.UserPrincipalName -phoneType "Mobile" -phoneNumber $user.MobilePhone | Out-Null           
        }
        else {
            Write-Host "$($user.UserPrincipalName) has MFA configured without mobile phone number Authentication Method but has no known mobile phone number to add, skipping..." -ForegroundColor Red
        }
    }
}

A piece of the output after running the script on my CDX tenant

More Get/New-MgUserAuthentication cmdlets

You can also the cmdlets below for retrieving and adding other Authentication methods: (Use Get-MgUserAuthenticationxxx to query and use New-MgUserAuthenticationxxx to add)

Get-MgUserAuthenticationEmailMethod
Get-MgUserAuthenticationMicrosoftAuthenticatorMethodDevice
Get-MgUserAuthenticationPasswordMethod
Get-MgUserAuthenticationWindowHello
Get-MgUserAuthenticationFido2Method
Get-MgUserAuthenticationOperation
Get-MgUserAuthenticationPhoneMethod
Get-MgUserAuthenticationWindowHelloForBusinessMethodDevice
Get-MgUserAuthenticationMethod
Get-MgUserAuthenticationPasswordlessMicrosoftAuthenticatorMethod
Get-MgUserAuthenticationSoftwareOathMethod
Get-MgUserAuthenticationMicrosoftAuthenticatorMethod
Get-MgUserAuthenticationPasswordlessMicrosoftAuthenticatorMethodDevice
Get-MgUserAuthenticationTemporaryAccessPassMethod

Download the script(s) from GitHub here

7 thoughts on “Adding Mobile Phone Authentication method for Azure AD Multi-Factor Authentication using PowerShell”

Hi, HARM VEENSTRA
Thank you very much for providing the script. This script solves the problem of automatic registration of AAD phone numbers to MFA. I have a small suggestion, which is whether it is possible to define this+in+1 xxxx yourself, because some users do not write+1 xxxx on AD, but write xxxxx directly, which will result in binding failure.

Harm Veenstra says:

April 25, 2024 at 11:35

No problem and that is correct, I could modify the script to check for that before trying to update the number. The script also uses the old cmdlets I see, should update it anyway 🙂 I will put it on my today list!

Reply
1. wp1191018436 says:
  
  April 26, 2024 at 16:23
  
  Thank you very much for the quick reply. I have a little immature suggestion. For example, if MFA has registered a mobile phone number, but the mobile phone number is inconsistent with the mobile phone number displayed in AD, can the original MFA number be revoked and automatically registered again? The number in the new AD.
2. Harm Veenstra says:
  
  April 26, 2024 at 17:29
  
  Hmmm.. It’s all user preference I guess, but if you want to make sure that only the company mobile phonenumber is used in a non-BYOD device situation… Then you can remove it, and add the company phonenumber in it.
Harm Veenstra says:

May 1, 2024 at 14:36

Updated the script a bit, but not with the logic like you described yet

Reply
1. wp1191018436 says:
  
  May 3, 2024 at 06:12
  
  Thank you very much. I can make some modifications to better adapt to our environment. Thank you very much
2. Harm Veenstra says:
  
  May 3, 2024 at 07:01
  
  No problem, glad to help and let me know if you need help if needed

He says:

April 25, 2024 at 11:31

Hi, HARM VEENSTRA
Thank you very much for providing the script. This script solves the problem of automatic registration of AAD phone numbers to MFA. I have a small suggestion, which is whether it is possible to define this+in+1 xxxx yourself, because some users do not write+1 xxxx on AD, but write xxxxx directly, which will result in binding failure.

1. Harm Veenstra says:
  
  April 25, 2024 at 11:35
  
  No problem and that is correct, I could modify the script to check for that before trying to update the number. The script also uses the old cmdlets I see, should update it anyway 🙂 I will put it on my today list!
  
  1. wp1191018436 says:
    
    April 26, 2024 at 16:23
    
    Thank you very much for the quick reply. I have a little immature suggestion. For example, if MFA has registered a mobile phone number, but the mobile phone number is inconsistent with the mobile phone number displayed in AD, can the original MFA number be revoked and automatically registered again? The number in the new AD.
  2. Harm Veenstra says:
    
    April 26, 2024 at 17:29
    
    Hmmm.. It’s all user preference I guess, but if you want to make sure that only the company mobile phonenumber is used in a non-BYOD device situation… Then you can remove it, and add the company phonenumber in it.
2. Harm Veenstra says:
  
  May 1, 2024 at 14:36
  
  Updated the script a bit, but not with the logic like you described yet
  
  1. wp1191018436 says:
    
    May 3, 2024 at 06:12
    
    Thank you very much. I can make some modifications to better adapt to our environment. Thank you very much
  2. Harm Veenstra says:
    
    May 3, 2024 at 07:01
    
    No problem, glad to help and let me know if you need help if needed