We have some customers who are so large that their employees misplace or even lose several phones a day. Our largest customer has 70,000 employees who misplace about 11 phones a day. Left in the car or on the nightstand, for example. With their phone gone, they are no longer able to use MFA so they can’t log into their accounts anymore. For these users, MFA needs to be temporarily disabled so they can access their O365 email, Teams, etc.
This can be easily accomplished in PowerShell with a script similar to this:
$name= Read-Host -Prompt “Enter your name”
try {
$user = Get-MsolUser -UserPrincipalName $UPN -ErrorAction SilentlyContinue
$uName = $user.DisplayName
if(!$user)
{
Write-Output “No user could be found with the UPN of $UPN.”
}else
{
if(!($user.StrongAuthenticationRequirements))
{
Write-Output “Multi-factor authentication is already disabled for $uName($UPN)”
}
else
{
$EmptyArray = @()
Set-MsolUser -UserPrincipalName $UPN -StrongAuthenticationRequirements $EmptyArray
Write-Output “Multi-factor authentication was disabled for $uName($UPN)”
}
}
} catch {
Write-Output “Error:”
Write-Output “$_”
}
But of course, running such a script assumes you have access to the proper credentials, and that those credentials have the Authentication Administrator role. You could write a script like, but you couldn’t delegate it down to the Service Desk unless they also had such rights… and that is usually not the case. Is there a solution? YES! VitalSigns now has a feature called PowerScripts.
We think it’s such an important area of functionality that we dedicated an entire website to explaining it. Check out our latest feature at https://powerscripts365.com/
Comments are closed