EAM Support in System Preferred MFA: What You Need to Know

By /

Listen to this Post

It looks like EAM support in System Preferred MFA has rolled out to some tenants already. Below we can see a user who has both MS Authenticator and EAM available is directed to EAM by default, not MS Authenticator. Docs are incorrect until the PR is merged. Also, this announcement shows in GCC, but if anyone happens to confirm it is working in GCC for them, it would be greatly appreciated.

You Should Know:

1. Check MFA Status in Azure AD:

Get-MsolUser -UserPrincipalName [email protected] | Select-Object -Property UserPrincipalName,StrongAuthenticationMethods

2. Enable MFA for a User:

Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @{State="Enabled"}

3. Disable MFA for a User:

Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @{}

4. List All Users with MFA Enabled:

Get-MsolUser -All | Where-Object {$_.StrongAuthenticationRequirements.State -eq "Enabled"} | Select-Object -Property UserPrincipalName

5. Check MFA Methods for a User:

Get-MsolUser -UserPrincipalName [email protected] | Select-Object -ExpandProperty StrongAuthenticationMethods

6. Update MFA Settings via Azure Portal:

  • Navigate to Azure Active Directory > Security > MFA > Additional cloud-based MFA settings.

7. Verify MFA Configuration in GCC:

Get-MsolDomainFederationSettings -DomainName domain.com | Select-Object -Property PreferredAuthenticationProtocol

8. Audit MFA Logs:

Get-AzureAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) | Where-Object {$_.OperationName -eq "User registered security info"}

9. Force MFA Re-registration:

Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationMethods @()

10. Check MFA Registration Policy:

Get-MsolCompanyInformation | Select-Object -Property StrongAuthenticationRequirement

What Undercode Say:

EAM support in System Preferred MFA is a significant update for tenants using Azure AD. The default shift from MS Authenticator to EAM highlights the importance of staying updated with Microsoft’s documentation and community announcements. The provided PowerShell commands are essential for managing and auditing MFA settings, ensuring your tenant’s security posture remains robust. Always verify configurations in GCC environments and stay proactive in updating your MFA policies.

For more details, refer to the official documentation: Microsoft Entra External Authentication Methods.

References:

Reported By: Nathanmcnulty It – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅Featured Image

Related Posts: