Enabling MFA with Conditional Access

Following the previous post about Enabling MFA, imagine that you followed my recommendations about enabling and enforced by using MFA, but now what you want to do is to enable MFA but in a CA policy, with the following PS you can make the conversion from MFA to CA based MFA.

The advantage? More powerful, you can select which services can ask for MFA, the condition of the device, and many other features…

# Sets the MFA requirement state
function Set-MfaState {


Process {
Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
$Requirements = @()
if ($State -ne "Disabled") {
$Requirement =
$Requirement.RelyingParty = "*"
$Requirement.State = $State
$Requirements += $Requirement

Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
-StrongAuthenticationRequirements $Requirements

# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s