Search code examples
azure-active-directoryactive-directorymulti-factor-authentication

Automatic transfer of users' phone numbers from 'Active Directory on-premises' to MFA field in Azure Active Directory

In my organization we're running a kind of hybrid environment - we use both Active Directory on-premises and Azure AD. We'd like to use MFA functionality in AAD and enter employee phone numbers in 'Authentication method' HERE Employees phone numbers are already present on users' cards in AD on-premises (General or Telephones tab). HERE

Therefore, I have the following questions:

  1. Does anyone know a way to automatically transfer data from AD on-premises to the appropriate MFA field in AAD? Via Power Automate, Powershell, whatever - the technology doesn't matter, the point is not to manually flip the data :)
  2. If there is no chance to transfer such data from AD on-premises, maybe there is an option to treat creating a new user's account as a trigger to the action of copying his/her number from this field: Phone number on general tab - for example to MFA here

I'd be incredibly grateful - for any advice :)

If you have any ideas other than Microsoft.Graph.Identity.Signins

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings

which unfortunately didn't work in this case, that would be awesome :)

Solution

  • Automatic transfer of users' phone numbers from 'Active Directory on-premises' to MFA field in Azure Active Directory

    As per MS DOC it is not possible do directly sync the Authentication contact information from On-Prem AD to Azure AD, as these attributes are cloud only attributes, Follow the Authentication contact info

    In order to update the On-prem users phone number to Azure AD Authentication method.you can follow below steps.

    1. Export On-prem AD user details to CSV file using below powershell code.

      Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties * | Select-Object Name, SamAccountName, EmailAddress, Description | Export-Csv -Path   C:\Users.csv -NoTypeInformation

    Output:

    enter image description here

    Once export the user details, you can use below powershell code to update Authentication contact information to Azure AD.

        Install-Module Microsoft.Graph -Force
    connect-graph -Scopes @("UserAuthenticationMethod.Read.All";"UserAuthenticationMethod.ReadWrite.All")
   $inputfile = "/home/mt/EnableMFA.csv"
    $data=Import-Csv -Path $inputfile
    foreach ($user in $data) 
    { 
        $upn = $user.upn 
        $phone = $user.phonenumber 
        try 
        { 
            New-MgUserAuthenticationPhoneMethod -UserId $upn -PhoneNumber $phone -PhoneType "mobile" 
            Write-Host "Phone number $phone updated successfully for user $upn." 
        } 
        catch 
        { 
            Write-Host "Error updating phone number $phone for user $upn" 
        } 
    }

    Output:

    enter image description here

    Once ran the above code Phone numbers are updated in Azure AD.

    enter image description here