Enforce per-user multifactor authentication on Microsoft Entra ID

Introduction

Enforcing multifactor authentication (MFA) is essential for securing user access to Kepion. With Microsoft Entra ID (formerly Azure AD), enforcing MFA ensures that all users authenticate securely before accessing your environment.

This guide provides step-by-step instructions on:

• Enforce MFA for users
• Reset MFA for users experiencing sign-in issues

Note: If your organization uses Single Sign-On (SSO) with an identity provider other than Microsoft Entra ID, MFA enforcement must be configured and managed within that provider's system.

Before you start

Ensure you have access to the target tenant in Microsoft Entra ID with at least Authentication Policy Administrator permissions.

Enforce MFA for your users

Step 1: Sign in to Microsoft Entra ID

• Go to the Microsoft Entra admin center.
• Sign in with an account that has at least Authentication Policy Administrator permissions.

Step 2: Navigate to per-user MFA

• If you have access to multiple tenants, use the Settings icon  in the top menu to switch to the target tenant.

• Navigate to Users > All users.

• Click Per-user MFA at the top of the page.

Step 3: Enable MFA

• Select the checkboxes next to the users who require MFA enforcement.
• Click Enable MFA.

• Confirm your selection in the pop-up window.

Step 4: Enforce MFA

• Select the checkboxes next to the users who require MFA enforcement.
• Click Enforce MFA.

• Confirm your selection in the pop-up window.

Note: Once enforced, users will be prompted to set up MFA during their next sign-in.

Reset MFA via Azure portal

If users experience login issues with Microsoft Entra ID, you may need to require MFA re-registration for the affected users. This can be done manually via the Azure portal or in bulk using Microsoft Graph.

Follow the steps to reset MFA for users manually on Azure portal.

Step 1: Sign in to Microsoft Entra ID

• Go to the Microsoft Entra admin center.
• Sign in with an account that has at least Authentication Policy Administrator permissions.

Step 2: Locate the user

• If you have access to multiple tenants, use the Settings icon  in the top menu to switch to the target tenant.
• Use the search bar to find the user who needs an MFA reset.
• Click on their display name to open their profile.

Step 3: Reset MFA

• In the left navigation panel, select Authentication methods.
• Click Require re-register multifactor authentication.

Note: Repeat steps 2-3 for each additional user who requires an MFA reset.

Final step: Notify your users

• Once MFA is enforced, Microsoft does not send automatic notifications to users. Instead, they will be prompted to set up MFA upon their next sign-in to Kepion.
• To assist them with the setup process, share this guide: Set up multifactor authentication with Microsoft Authenticator

Reset MFA using Microsoft Graph

For organizations managing a large number of users, enforcing MFA manually can be time-consuming. To streamline the process, you can use PowerShell with Microsoft Graph to automate MFA enforcement across all users in your environment.

Step 1: Install required PowerShell modules

Ensure the following Microsoft Graph PowerShell modules are installed:

Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser
Install-Module Microsoft.Graph.Users -Scope CurrentUser

Step 2: Ensure API permissions

Navigate to the App Registration and verify that the correct API permissions are assigned:

• Permissions Required:
  • (Application) UserAuthenticationMethod.ReadWrite.All
  • (Application) User.Read.All
• After adding the permissions, click Grant admin consent for [your tenant] to apply the changes.

Step 3: Collect application information

Before proceeding, collect the following details from the App Registration that will be used for authenticating the PowerShell script:

• Application (client) ID
• Directory (tenant) ID
• Client secret

Step 4: Prepare the user list for MFA enforcement
To specify the users who will have MFA enforced, create a users.csv file containing their Object IDs. The file should be structured as follows:

ObjectId
a1b2c3d4-e5f6-7890-abcd-1234567890ef
b2c3d4e5-f678-9012-bcde-2345678901fa
c3d4e5f6-7890-1234-cdef-3456789012fb

Step 5: Prepare the Powershell script

The script provided below will:

• Read the users provided in the users.csv file created in Step 4. 
• Reset and reconfigure MFA methods to ensure compliance.
• Remove outdated authentication methods while keeping Microsoft-approved MFA methods.

param(
[parameter(Mandatory = $true)] [String] $tenantId,
[parameter(Mandatory = $true)] [String] $clientId,
[parameter(Mandatory = $true)] [String] $clientSecret,
[parameter(Mandatory = $true)] [String] $csvFilePath,
[parameter(Mandatory = $true)] [String] $isDebug = $false
)

# Check if the CSV file exists
if (!(Test-Path $csvFilePath)) {
Write-Host "Error: CSV file not found at $csvFilePath. Please provide a valid file." -ForegroundColor Red
Exit 1
}

# Get the authentication token and Connect
try {
Write-Host "Trying to connect to tenantId <$tenantId> using clientId <$clientId>."
$body = @{
grant_type = "client_credentials"
client_id = $clientId
client_secret = $clientSecret
scope = "https://graph.microsoft.com/.default"
}
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Method Post -Body $body
$accessToken = ConvertTo-SecureString $tokenResponse.access_token -AsPlainText -Force

Connect-MgGraph -AccessToken $accessToken | Out-Null
Write-Host "Authentication successful." -ForegroundColor Green
}
catch {
Write-Host "Failed to authenticate with clientId <$clientId> in tenantId <$tenantId>." -ForegroundColor Red
Exit 1
}

# Read users from the CSV file
$users = Import-Csv -Path $csvFilePath
$totalUserCount = @($users).Count

if ($totalUserCount -eq 0) {
Write-Host "Error: No users found in the CSV file." -ForegroundColor Red
Exit 1
}

Write-Host "Loaded $totalUserCount users from CSV file."

# Reset MFA configurations for users in CSV
Write-Host "Attempting to reset MFA configurations for specified users..."
$userCount = 0
$failedUserIds = @()

if ($isDebug -eq $true) {
Write-Host "Debug mode enabled. No changes will be made."
Exit 1
}

foreach ($user in $users) {
$userId = $user.ObjectId
$userCount++

Write-Host "[$userCount/$totalUserCount] Processing user <$userId>..."

try {
$methods = Get-MgUserAuthenticationMethod -UserId $userId

foreach ($method in $methods) {
if ($method.Id -eq "28c10230-6103-485e-b985-444c60001490") {
continue
}

# Remove Microsoft Authenticator Method
try {
Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $userId -MicrosoftAuthenticatorAuthenticationMethodId $method.Id
Write-Host "Removed Microsoft Authenticator Method for <$userId>." -ForegroundColor Green
continue
}
catch {
Write-Host "Error removing Microsoft Authenticator for <$userId>."
}

# Remove Software OAuth Method
try {
Remove-MgUserAuthenticationSoftwareOathMethod -UserId $userId -SoftwareOathAuthenticationMethodId $method.Id
Write-Host "Removed Software OAuth Method for <$userId>." -ForegroundColor Green
continue
}
catch {
Write-Host "Error removing Software OAuth for <$userId>."
}
}

Write-Host "MFA reset for user <$userId> completed successfully." -ForegroundColor Green
}
catch {
$failedUserIds += $userId
Write-Host "MFA reset failed for user <$userId>."
}
}

# Display failed operations
if ($failedUserIds.Count -gt 0) {
Write-Host "`nThe following users encountered errors:"
$failedUserIds | ForEach-Object { Write-Host $_ }
}
else {
Write-Host "`nAll users processed successfully."
}

Write-Host "MFA enforcement process completed." -ForegroundColor Green

Final step: Notify your users

• Once MFA is enforced, Microsoft does not send automatic notifications to users. Instead, they will be prompted to set up MFA upon their next sign-in to Kepion.
• To assist them with the setup process, share this guide: Set up multifactor authentication with Microsoft Authenticator