Adding Mobile Phone Authentication method for Azure AD Multi-Factor Authentication using PowerShell

One of our customers is switching from Mobile Iron to Endpoint Manager for their mobile devices, which is a good choice :). After retiring the device, Mobile Iron removes the managed Authenticator app from the device. Microsoft Endpoint manager pushes it back to the device again, but… The iCloud backup options were not set/managed, and users had to add their account back which requires MFA. Which they can’t do because only the Authenticator app was registered (Mobile app code) and no recovery email or mobile phone number. But the mobile phone numbers were set on most users in Active Directory in the past and were synced to Azure AD. This blog post describes how you can add those numbers to the affected users so that they can use the recovery option and won’t have to contact the ServiceDesk 🙂

Microsoft Graph permissions

Setting user authentication methods can be done using Microsoft Graph. This article describes how https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings. Your account needs enough permissions to set these options. This can be checked using Graph Explorer and browsing to (change objectid to one of the affected users): microsoftAuthenticatorMethods. Check the Modify permissions tab and consent to all four UserAuthenticatonMethod items.

Also, verify if your account has enough permissions to read all users, browse to the users URL and verify if consent was given to User.Read.All.

How the script works

After configuring the needed permissions, (When connecting, it also prompts for the permissions in an admin consent prompt, but that doesn’t seem to work every time, or I need to have some more patience 😀 ), the script connects to the tenant with the two scopes it needs to add the mobile phone number to the account. (UserAuthenticationMethod.ReadWrite.All and User.Read.All) and connects to the beta endpoint for the Graph API queries. It then searches for all users and skips the external accounts because the customer doesn’t add phone numbers to those users. It then loops through those users and searches for users who registered for MFA but don’t have a mobile phone number added as an authentication method. If the user has a mobile phone number registered, it will add it as an authentication method, and if not… It will output that in red 🙂

The script

This is the script, copy and run it, connect with an admin account with enough permissions, and check the output on your screen.

#Used https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings for the method of setting a mobile number for MFA 
# Install the needed Microsoft.Graph modules
Install-module Microsoft.Graph.Authentication, Microsoft.Graph.Identity.Signins, Microsoft.Graph.Users -ErrorAction SilentlyContinue

# Connect to tenant, make sure your account has enough permissons in Microsoft Graph
# Use https://developer.microsoft.com/en-us/graph/graph-explorer to grant permissions 
# in https://graph.microsoft.com/v1.0/users/objectid/authentication/microsoftAuthenticatorMethods
# and https://graph.microsoft.com/v1.0/users/
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All, User.Read.All
Select-MgProfile -Name beta

# Loop through the users (No guest accounts) who have registered MFA without a recovery phonenumber
# and add it if a mobile phone number is present in Azure AD for the user.
# The ID 28c10230-6103-485e-b985-444c60001490 is filtered because it's the standard Password.
foreach ($user in Get-MgUser -All | Where-Object UserPrincipalName -NotMatch '#EXT#') {
    if ($null -ne (Get-MgUserAuthenticationMethod -UserId $user.UserPrincipalName | Where-Object ID -ne 28c10230-6103-485e-b985-444c60001490) `
            -and $null -eq (Get-MgUserAuthenticationPhoneMethod -UserId $user.UserPrincipalName)) {
        if ($null -ne $user.MobilePhone) {
            Write-Host "$($user.UserPrincipalName) has registered MFA but has no mobile phone Authentication Method, adding $($user.MobilePhone) now" -ForegroundColor Green
            New-MgUserAuthenticationPhoneMethod -UserId $user.UserPrincipalName -phoneType "Mobile" -phoneNumber $user.MobilePhone | Out-Null           
        }
        else {
            write-host "$($user.UserPrincipalName) has MFA configured without mobile phone number Authentication Method but has no known mobile phone number to add, skipping..." -ForegroundColor Red
        }
    }
}

A piece of the output after running the script on my CDX tenant

More Get/New-MgUserAuthentication cmdlets

You can also the cmdlets below for retrieving and adding other Authentication methods: (Use Get-MgUserAuthenticationxxx to query and use New-MgUserAuthenticationxxx to add)

Get-MgUserAuthenticationEmailMethod
Get-MgUserAuthenticationMicrosoftAuthenticatorMethodDevice
Get-MgUserAuthenticationPasswordMethod
Get-MgUserAuthenticationWindowHello
Get-MgUserAuthenticationFido2Method
Get-MgUserAuthenticationOperation
Get-MgUserAuthenticationPhoneMethod
Get-MgUserAuthenticationWindowHelloForBusinessMethodDevice
Get-MgUserAuthenticationMethod
Get-MgUserAuthenticationPasswordlessMicrosoftAuthenticatorMethod
Get-MgUserAuthenticationSoftwareOathMethod
Get-MgUserAuthenticationMicrosoftAuthenticatorMethod
Get-MgUserAuthenticationPasswordlessMicrosoftAuthenticatorMethodDevice
Get-MgUserAuthenticationTemporaryAccessPassMethod

Download the script(s) from GitHub here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.