Get Office 365 Admin MFA Configuration
Hello,
In Office 365 you have different type of administrators. Billing admin, company admin, Exchange admin, SharePoint admin Teams & Skype admin, and a lot more of them. Hereunder the full list with their ID and descriptions:
There is quite a few of them. For security measure, you really want to force Multi Factor Authentication (MFA) on some of them.
Get Office 365 Admin MFA Configuration
An obvious exemple is the “company administrators”, you can check the current MFA enablement with this PowerShell line:
Connect-MsolService #You need to be connected to Microsfot Online first
Get-MsolRoleMember -RoleObjectId '62e90394-69f5-4237-9190-012177145e10' | select DisplayName,EmailAddress,IsLicensed,@{Label='MFAEnabled';Expression={if($_.StrongAuthenticationRequirements){$true}else{$false}}}
As you can see, I’m not a good exemple of security best practices, let’s correct that. To enable MFA, you can go to this page, and then select the users on which you want to add the MFA requirement.
And then, MFA is enabled, let’s run the PowerShell line to verify what we just did:
Get-MsolRoleMember -RoleObjectId '62e90394-69f5-4237-9190-012177145e10' | select DisplayName,EmailAddress,IsLicensed,@{Label='MFAEnabled';Expression={if($_.StrongAuthenticationRequirements){$true}else{$false}}}
And now you can see that the admin account that I enabled MFA for in now with a strong authentication requirement.
Conclusion
Now you know how to identify admin that are not compliant with your security standards. This is one of the steps that “Office 365 Secure Score” will warn you about.
This step is kind of an easy +50 points on your Office 365 Secure Score. The only accounts where it can be tricky to enable MFA is service accounts & scripting account.
Note: MFA is great, but the SS7 network that powers cell phone calls and texts can be spoofed, the best MFA configuration is to use the Microsoft Authenticator App which is based on push notifications and time based expiration token.