PowerShell: Disable MFA For All O365 Users

KB ID 0001655

Problem

If you have something boring/repetitive to do then Powershell is your friend! I needed to do this for a client that’s replacing their Office365/Azure AD MFA (Multi Factor Authentication) with Duo.

Solution

Connect to your Microsoft Services Online, i.e. Office365/Azure, using your administrative credentials with the following command;

[box]

Connect-MsolService

[/box]

Then (Note: I’ve got more than 1000 users so I need to add the MaxResults switch).

[box]

Get-MsolUser -MaxResults 2000 | Set-MsolUser -StrongAuthenticationRequirements @()

[/box]

Office 365: Disable MFA For One User

Similar to above;

[box]

Get-MsolUser -UserPrincipalName {user-name} | Set-MsolUser -StrongAuthenticationRequirements @()

[/box]

Related Articles, References, Credits, or External Links

NA

Unable to Connect to the Synchronisation Service

KB ID 0001649

Problem

I’m doing some work for a client that has Azure AD Sync running, and we keep kicking each other off the server, so I thought I’d login with another account. However, when I tried to open the Synchronisation Service Manager;

Unable to connect to the Synchronisation Service

Some possible reasons are:
1) The service is not started.
2) Your account is not a member of the requires security group.

See the Synchronisation Service documentation for details.

Solution

Well it was the second option in my case. Open Server Manager > Tools > Computer Management > System tools > Local Users and groups > Groups > ADSyncAdmins > Add your user in here.

Related Articles, References, Credits, or External Links

NA

Forcing Azure AD Connect Sync

KB ID 0001590

Problem

If you are using Azure AD Connect, (AAD Connect) to sync your on-premise Active Directory with Azure AD (i.e. for Office 365), then there may be times when you need to manually ‘force a replication’ because by default it’s going to take 30 minutes between each normal ‘delta replication’

Solution

If you are directly on the server that’s running Azure AD connect, then use the following PowerShell. If you Don’t know which server is running AD connect the see the following link;

Locate Your Azure AD Connect Server

Firstly you need to add in the correct module, (you only have to do this once). Though the module should be already installed on the Sync server, let’s not tempt fate and check. (You can also use Get-Module to view installed modules).

[box]

Import-Module ADSync

[/box]

Note: If you get an error you may need to run Import-Module “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1”

Then to Manually Force a Synchronisation;

[box]

To Perform a FULL Sync
Start-ADSyncSyncCycle -PolicyType Initial
To Perform a (Normal) Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta

[/box]

You can view the Sync settings with;

[box]

Get-ADSyncScheduler

[/box]

But I don’t like that, I prefer to watch synchronisations going on on the ‘Syntonisation Service Manager’ console, you can spot and troubleshoot errors in here also 🙂

Note: To Troubleshoot Sync errors, see the procedure I use in the following post;

Azure AD Connect: Correct Or Remove Duplicate Values

Force an Azure AD Connect Synchronisation From Another Server

Use the following syntax;

[box]

Invoke-Command -ComputerName AD-Connect-Server-Name -ScriptBlock { 
Import-Module ADSync 
Start-ADSyncSyncCycle -PolicyType Delta 
}

[/box]

Disable and Enable Azure AD Sync

[box]

Disable
Set-ADSyncScheduler -SyncCycleEnabled $False
Enable
Set-ADSyncScheduler -SyncCycleEnabled $True	

[/box]

Related Articles, References, Credits, or External Links

Azure AD Connect: Correct Or Remove Duplicate Values

AAD Contains Another Object With The Same DN

Office 365: Enable User Password Reset

KB ID 0001551

Problem

If you want to give your Office 365 users the ability to change and recover their passwords this is the procedure.

Solution

Open the ‘Azure Active Directory’ admin console.

If you didn’t already know, Azure is what’s underpinning your Office 365 subscription, Select ‘Azure Active Directory’ > Password reset.

I’m enabling for everyone, you can choose ‘Selected’ and then nominate groups the you want to grant password reset for. when done click ‘Save‘.

Now when your users login they will be asked for additional information.

You can then set a phone and andalternative email address you can use for authentication.

Related Articles, References, Credits, or External Links

NA