Set MFA enabled as default for new users

Follow

Niklas Myrnäs

• March 13, 2019 09:00

Hi

Is there a way to default enable MFA when creating a new user?

Best regards

Niklas

0

• 

  Tatiana Golubovich

  • March 21, 2019 10:43
  • Edited

  To enable MFA when creating a new user, you should do the following:

  1. Create new Office 365 Users | Enforce Multi-Factor Authentication (MFA) rule 

  

  2. Open Query Filters section

  3. In DisplayName/Email starts with set this value: {$tmpV=(GetSessionParameter 'Office365CreatedUser');if([string]::IsNullOrWhiteSpace($tmpV)){"TMP3A76F199A1C04BD6824C3C8A58F1852C"}else{"$tmpV"}}.InvokeReturnAsIs()

  

  4. Click Save Changes

  5. Navigate to HOME > CONFIGURATION > Web Interface > Web Actions > Active Directory > New User

  6. Enable Design mode https://support.cayosoft.com/hc/en-us/articles/360010342572 

  7. Add Office 365 Users | Enforce Multi-Factor Authentication (MFA) rule to Rules to run after this rule section in New User action https://cayosoft.zendesk.com/hc/en-us/articles/360018539692 after New User | Create Office 365 User rule

  

   

  8. Select the Office 365 Users | Enforce Multi-Factor Authentication (MFA) rule in the Specify rules to run list, click Edit.., expand the Behavior section and set the Execute If condition setting to the following condition: ($MailBoxType -eq 2 -or $MailBoxType -eq 3) -and ((GetSessionParameter "CreatedObjectGUID") -ne $null)
  

  

  9. Click Save changes

   

  0

  Comment actions Permalink
• 

  Niklas Myrnäs

  • March 13, 2019 13:23

  GREAT!

  Thanks so much Tatiana!
  
  /Niklas

  0

  Comment actions Permalink
• 

  Niklas Myrnäs

  • March 20, 2019 09:58

  Hi Tatiana!

  I have now done some tests with this BUT it does not work. Nothing happens in regards to MFA settings when I create a new user.
  
  Best regards
  
  Niklas

  0

  Comment actions Permalink
• 

  Tatiana Golubovich

  • March 20, 2019 11:43

  Hi Niklas!

  So, you configure the rules as described above, create a new AD user in Web Portal, then you find the matching account in MS Office 365 > Active Users query, open MFA settings, and MFA should be enabled.

  If it doesn't work in your environment, please, enable logging, create the user and send us the log to cayosoft@support.com

   

  Tatiana

  0

  Comment actions Permalink
• 

  Niklas Myrnäs

  • March 22, 2019 10:08

  Hi

  The new solution described above works fine. Thanks a lot!!!

  
  Best regards
  
  Niklas

  0

  Comment actions Permalink
• 

  Niklas Myrnäs

  • June 10, 2019 08:36

  Hi, Tatiana!

  It seems like the rule (described above) sometimes run on all users even though it is triggered by the "New user" action. It should only run on the account that it is creating. We discovered this when the AD Sync stopped as the service account got MFA enabled. Not so good.

  Can we in some way secure that that won't happen again?

  Best regards

  Niklas

  0

  Comment actions Permalink

Please sign in to leave a comment.