Skip to content

Instantly share code, notes, and snippets.

Last active January 3, 2022 15:47
What would you like to do?
A couple utility cmdlets to simplify managing Azure MFA state
Two helper functions to simplify managing user MFA state in Azure Active Directory.
# Disable MFA for one user, keeping MFA methods intact
Get-MsolUser -UserPrincipalName "" | Disable-Mfa -KeepMethods
# Disable MFA for all users, keeping their MFA methods intact
Get-MsolUser -All | Disable-MFA -KeepMethods
# Enforce MFA for one user
Get-MsolUser -UserPrincipalName "" | Set-MfaState -State Enforced
# Wrapper to disable MFA with the option to keep the MFA
# methods (to avoid having to proof-up again later)
function Disable-Mfa {
[switch] $KeepMethods
Process {
Write-Verbose ("Disabling MFA for user '{0}'" -f $User.UserPrincipalName)
$User | Set-MfaState -State Disabled
if ($KeepMethods) {
# Restore the MFA methods which got cleared when disabling MFA
Set-MsolUser -ObjectId $User.ObjectId `
-StrongAuthenticationMethods $User.StrongAuthenticationMethods
# Sets the MFA requirement state
function Set-MfaState {
Process {
Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
$Requirements = @()
if ($State -ne "Disabled") {
$Requirement =
$Requirement.RelyingParty = "*"
$Requirement.State = $State
$Requirements += $Requirement
Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
-StrongAuthenticationRequirements $Requirements
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment