Assign Mobile number from OnPrem AD to Azure AD Authentication Method

January 9, 2022 · 2 min read

IT Specialist - PowerShell enthusiast

Recently, I have been working on migrating multifactor authentication service provider from the one that runs locally to Azure AD MFA. During the process, there was the need to put all users mobile numbers from local active directory to Azure AD authentication method.

This is the cmdlet to do the job. It is available from the module called Microsoft.Graph.Identity.Signins.

New-MgUserAuthenticationPhoneMethod

Install the module and connect to the Microsoft Graph API with read and write scopes. Also import ActiveDirectory PowerShell module on your powershell console. Make sure the PowerShell Console session is using TLS1.2 for the traffic.

In essence, this is all you need.

Import-Module ActiveDirectory
Install-Module Microsoft.Graph.Identity.Signins
Import-Module Microsoft.Graph.Identity.Signins

#Use TLS1.2
$TLS12Protocol = [System.Net.SecurityProtocolType] 'Ssl3 , Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $TLS12Protocol

Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
Select-MgProfile -Name beta

Get-AdUser -Filter {Enabled -eq $true} -Properties mobile | %{New-MgUserAuthenticationPhoneMethod -UserId $_.UserPrincipalName -phoneType "mobile" -phoneNumber $_.mobile}

If you are doing it directly from Azure AD user properties, you will need to use AzureAD PowerShell Module and sign-in to your Azure AD environment.

Install-module AzureAD
Connect-AzureAD
Get-AzureADUser -All $true | %{New-MgUserAuthenticationPhoneMethod -UserId $_.UserPrincipalName -phoneType "mobile" -phoneNumber $_.mobile}

You also need to make sure

The mobile numbers are correct.
The numbers are in the right format i.e.,"+44 7799999999"
The mobile number fields for service accounts are empty.

You could export all the user details on the csv file first. Then work on the mobile numbers to have the right format, remove the unnecessary user accounts and finally run the cmdlet to use the csv file content.

Get-AdUser -Filter {Enabled -eq $true} -Properties mobile | 
    Select UserPrincipalName,mobile |
    Export-Csv -Path C:\temp\UserMobile.csv -NotypeInformation

# After the data cleaning and formatting on the csv file
$UserMobile = Import-Csv -Path C:\temp\UserMobile.csv
$UserMobile | %{New-MgUserAuthenticationPhoneMethod -UserId $_.UserPrincipalName -phoneType "mobile" -phoneNumber $_.mobile}

Disconnect-MgGraph