Pre-Configure MFA to bypass MFA registration by end user

Issue:

User accounts which are not configured with MFA are compromised. Now you decided to force MFA on all user accounts but there is a risk that the malicious user can perform 1st factor authentication and register for the 2nd factor with some spoofed contact numbers by going to https://aka.ms/mfasetup or https://aka.ms/securityinfo.

Resolution:

Pre-populate users phone details and pre-configure MFA using Admin Account so that end users do not have to do the registration. Below are the steps that you would need to perform for this purpose:

1. Update users PhoneNumber and MobilePhone attributes.

• If user is cloud only, login to Azure Portal, search for the user in Azure AD, update user’s profile and supply these credentials.
• If it is synced user, you need to sync these attributes using Azure AD Connect.
• If you are creating a new user, use below cmdlets:
  New-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -PhoneNumber '+91 94642XXXXX' -MobilePhone '+91 94642XXXXX' -DisplayName User -Password 'P@$$w0rd'
Note: The password is a temp password and can be changed after successful 2nd factor Authentication once MFA is configured.

2. Run below cmdlets:

• $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
• $st.RelyingParty = "*"
• $st.State = "Enabled"
• $sta = @($st)
• Set-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -StrongAuthenticationRequirements $sta
• $sm = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
• $sm.IsDefault = $true
• $sm.MethodType = "TwoWayVoiceOffice"
• Set-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com -StrongAuthenticationMethods @($sm)
• Get-MsolUser -UserPrincipalName user@your_tenant.onmicrosoft.com | select *

3. Try to login to the Azure Portal or Office 365 apps using the new user account and notice that you will directly get a phone call rather than the MFA Registration page.