Check/Change Authentication Type [O365]

We’re rolling out multifactor authentication (MFA) across the company and I’m trying to find a way in Powershell to look a person up and see their authentication type and then change it if necessary. It would be especially helpful to be able to change by GroupID as we’re rolling it out by OU. Any ideas?

Hi Steven,

This blog on TechNet has some PowerShell examples at the bottom of the page:

It looks like you could do something like this (I have not tested this):

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = "*"
$auth.State = "Enabled" # Options are Enabled or Enforced
Set-MsolUser -UserPrincipalName  -StrongAuthenticationRequirements $auth

If you have a CSV file with who is to be enabled, you could import it in a script and cycle through each user to enable them. Hopefully that points you in the right direction.

I figured it out! It’s not very elegant but it gets the job done:

<#$jdoe = Get-Credential
#Connect-MsolService -Credential $jdoe
$users = Get-MsolUser -All

foreach($user in $users){
    if($user.StrongAuthenticationRequirements.State -ne "Enforced"){
    Write-Host "NOT ON" $user.DisplayName -BackgroundColor red
    #AUTH ON
    Write-Host "ON" $user.DisplayName


Thanks for pointing me in the right direction

Tip: Get in the habit of creating object rather than write-host. The data is then reusable. Write-host should be reserved for troubleshooting.

$users = Get-MsolUser -All

$authreport = foreach($user in $users){

StrongAuth = $user.StrongAuthenticationRequirements.State
DisplayName = $user.DisplayName



#$authreport | export-csv ...
#$authreport | out-gridview
#$authreport | ? {$_.strongauth -eq 'Enforced'}