Set MFA enabled as default for new users

Comments

6 comments

  • Avatar
    Tatiana Golubovich

    To enable MFA when creating a new user, you should do the following:

    1. Create new Office 365 Users | Enforce Multi-Factor Authentication (MFA) rule 

    2. Open Query Filters section

    3. In DisplayName/Email starts with set this value: {$tmpV=(GetSessionParameter 'Office365CreatedUser');if([string]::IsNullOrWhiteSpace($tmpV)){"TMP3A76F199A1C04BD6824C3C8A58F1852C"}else{"$tmpV"}}.InvokeReturnAsIs()

    4. Click Save Changes

    5. Navigate to HOME > CONFIGURATION > Web Interface > Web Actions > Active Directory > New User

    6. Enable Design mode https://support.cayosoft.com/hc/en-us/articles/360010342572 

    7. Add Office 365 Users | Enforce Multi-Factor Authentication (MFA) rule to Rules to run after this rule section in New User action https://cayosoft.zendesk.com/hc/en-us/articles/360018539692 after New User | Create Office 365 User rule

     

    8. Select the Office 365 Users | Enforce Multi-Factor Authentication (MFA) rule in the Specify rules to run list, click Edit.., expand the Behavior section and set the Execute If condition setting to the following condition: ($MailBoxType -eq 2 -or $MailBoxType -eq 3) -and ((GetSessionParameter "CreatedObjectGUID") -ne $null)

    9. Click Save changes

     

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    GREAT!

    Thanks so much Tatiana!

    /Niklas

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Hi Tatiana!

    I have now done some tests with this BUT it does not work. Nothing happens in regards to MFA settings when I create a new user.

    Best regards

    Niklas

    0
    Comment actions Permalink
  • Avatar
    Tatiana Golubovich

    Hi Niklas!

    So, you configure the rules as described above, create a new AD user in Web Portal, then you find the matching account in MS Office 365 > Active Users query, open MFA settings, and MFA should be enabled.

    If it doesn't work in your environment, please, enable logging, create the user and send us the log to cayosoft@support.com

     

    Tatiana

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Hi

    The new solution described above works fine. Thanks a lot!!!


    Best regards

    Niklas

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Hi, Tatiana!

    It seems like the rule (described above) sometimes run on all users even though it is triggered by the "New user" action. It should only run on the account that it is creating. We discovered this when the AD Sync stopped as the service account got MFA enabled. Not so good.

    Can we in some way secure that that won't happen again?

    Best regards

    Niklas

    0
    Comment actions Permalink

Please sign in to leave a comment.