Soldato
- Joined
- 30 Sep 2005
- Posts
- 16,736
Hi Everyone,
I have knocked up a quick powershell script to enforce MFA for all O365 users, however I need to exclude anyone who is a member of a certain group.
Here's the code I have come up with.
Can anyone do any better?
$users = Get-MsolUser -All | where {$_.StrongAuthenticationRequirements.state -notlike "Enforced"} | select userprincipalname
#--- Setting MFA status to Enforced ---
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enforced"
$sta = @($st)
foreach ($user in $users)
{
$user = $user.userprincipalname
foreach ($Group in (Get-MsolGroup -All | where-object {$_.displayname -eq "MFA-Excluded"}))
{
if (Get-MsolGroupMember -GroupObjectId $Group.ObjectId | where {$_.Emailaddress -notlike $user}) {
write-host "Setting MFA for user $user to Enforced" -ForegroundColor Green
Add-Content "C:\mfa\log.txt" "$Fulldate - Setting MFA for user $user to Enforced"
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}
}
}
Thanks!!
I have knocked up a quick powershell script to enforce MFA for all O365 users, however I need to exclude anyone who is a member of a certain group.
Here's the code I have come up with.
Can anyone do any better?
$users = Get-MsolUser -All | where {$_.StrongAuthenticationRequirements.state -notlike "Enforced"} | select userprincipalname
#--- Setting MFA status to Enforced ---
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enforced"
$sta = @($st)
foreach ($user in $users)
{
$user = $user.userprincipalname
foreach ($Group in (Get-MsolGroup -All | where-object {$_.displayname -eq "MFA-Excluded"}))
{
if (Get-MsolGroupMember -GroupObjectId $Group.ObjectId | where {$_.Emailaddress -notlike $user}) {
write-host "Setting MFA for user $user to Enforced" -ForegroundColor Green
Add-Content "C:\mfa\log.txt" "$Fulldate - Setting MFA for user $user to Enforced"
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}
}
}
Thanks!!