Set-AdfsAzureMfaTenant

Enables an AD FS farm to use MFA.

Syntax

Set-AdfsAzureMfaTenant
   -TenantId <String>
   -ClientId <String>
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The Set-AdfsAzureMfaTenant cmdlet enables an Active Directory Federation Services (AD FS) farm to use Azure Multi-Factor Authentication (MFA) after a certificate has been created and registered in the Microsoft Entra tenant.

Examples

Example 1: Enable Azure MFA

PS C:\> $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID>
PS C:\> New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
PS C:\> Set-AdfsAzureMfaTenant -TenantId <your tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720

This command creates a certificate for Azure MFA, registers it in the tenant, and enables Azure MFA on the AD FS farm.

Example 2: Determine which certificate Azure MFA is using

$CertInBase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID> 
[Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($CertInBase64))

After AD FS has been configured for Azure MFA, this command determines which certificate Azure MFA is using and when it expires.

Parameters

-ClientId

Specifies the well-known ID of the Azure MFA application in Microsoft Entra ID.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-TenantId

Specifies the GUID representation of a Microsoft Entra tenant ID. This can be found in the URL bar of the Microsoft Entra admin center, as in this example:

https://manage.windowsazure.com/contoso.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/\<tenantID_GUID\>/directoryQuickStart

You can also use the Login-AzureRmAccount cmdlet that is part of the Azure PowerShell module to get the tenant ID.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False