I am working with a customer where we want to enable multi-factor authentication for their users as a measure to secure their environment. But when you enable MFA and a user logs on for the first time, the user has to enter his mobile phone number, even if the mobile phone number is populated in on-premises Active Directory and synchronized to Azure Active Directory (which is default).
When you check the user account in the Azure AD portal, you can see that the mobile phone number is synchronized, but the authentication phone number is empty.
This is not a desired solution, if a user can set a new mobile phone during logon, a malicious user can do this as well. A typical user will logon shortly after the MFA is set, but especially when doing bulk changes this might not be the case. And when a user account that is MFA enabled, but hasn’t set the authentication phone property is compromised you’re screwed.
Out of the box there’s no easy way to prepopulate the authentication phone number. The authentication phone number is not store in on-premises Active Directory, it’s an Azure AD property. The property to control the strong authentication is called StrongAuthenticationMethods and you can set this using PowerShell. When you set this, the authentication phone number is still prepopulated, but when the mobile phone number is synchronized, this is used in the first place.
To set this StrongAuthenticationMethods property you can use the following PowerShell commands:
Connect MsolService $UserPrincipalName = "firstname.lastname@example.org" $SMS = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $SMS.IsDefault = $true $SMS.MethodType = "OneWaySMS" $Phone = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $Phone.IsDefault = $false $Phone.MethodType = "TwoWayVoiceMobile" $PrePopulate = @($SMS, $Phone) Set-MsolUser -UserPrincipalName $UserPrincipalName -StrongAuthenticationMethods $PrePopulate
Now when the user logs on for the first time with MFA enabled, he’s presented the enter code dialog box, without having to enter a mobile number first.
If you do this, and the mobile phone number is not set in on-premises Active Directory, MFA will still try to use the mobile phone number, but nothing will happen as shown in the following screenshot:
Since there’s no mobile phone number to use, and no option to add this anymore directly by the user you’re stuck here (until the mobile phone number is added to on-premises Active Directory of course).
Note. If you want to enable MFA using PowerShell, you can use the following commands (and maybe combine them with the commands mentioned earlier):
$Strong = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $Strong.RelyingParty = "*" $Strong.State = "Enabled" $MFA = @($Strong) Set-MsolUser -UserPrincipalName email@example.com -StrongAuthenticationRequirements $MFA
- Pre-Provisioning Microsoft Azure Multi-Factor Authentication for Users – https://blogs.technet.microsoft.com/cloudpfe/2014/04/09/pre-provisioning-microsoft-azure-multi-factor-authentication-for-users/
- How to require two-step verification for a user – https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates