Hi,
Another custom script query following the one I had the other week. We've got a script that switches on MFA to have SMS as the default but doesn't set a number. We do this as a measure to prevent people who haven't had MFA set up having their credentials hacked and then someone using them to log in and then set MFA to what they want. There's a control list that doesn't prompt for MFA within our network so the users or admin can log in within our network and set the number to correct one if they wish, and for a hacker they get stuck by the MFA prompt that goes nowhere.
$credential = Import-Clixml -Path 'PATH'
connect-msolservice -Credential $credential
$UserUPN = $workflow.SavedObjectProperties("Get UserPrincipalName").get("UserPrincipalName")
$SMS = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$SMS.IsDefault = $true
$SMS.MethodType = "OneWaySMS"
$Phone = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$Phone.IsDefault = $false
$PrePopulate = @($SMS)
Set-MsolUser -UserPrincipalName $UserUPN -StrongAuthenticationMethods $PrePopulate
MSOL is old hat now, I know, but at the time this was the only way we could set this as Microsoft squirrels away the MFA settings and won't let a third party manipulate them. This script still works if I run it manually with Powershell but as part of a workflow it fails and I can't find anyone else trying to do the same thing. Graph might be able to do it but I'm struggling to find anything that does exactly what the above does. Has anyone else come across this kind of script before and could have an alternative means of doing it? It seems bananas that MS doesn't have an easy way of doing this!
As an aside, I'm looking at changing how the authentication is done to use a certificate as well instead of Clixml, once I can get the scripts working, because the above method works fine so getting the scripts sorted is more pressing.
We're on Active Roles 8.1.3 SP1 and Powershell version 5.1
Thanks in advance