cloudconsulting.agustin / entra_id

❎ CYBERSECURITY ---> discovering findings on internet facing webapps using public scanning tools AZURE CLOUD -----> infrastructure performance challenges on advanced hybrid cloud implementations AZURE CLOUD -----> programmatically create MS Entra ID User Accounts with Python enforcing MFA & MS Authenticator AZURE CLOUD -----> programmatically create 'n' Azure VMs using Bicep templates and GitHub actions workflows AZURE CLOUD -----> validating Azure B2B Guest User accounts using OIDC/OAuth2 via MS Entra ID and MS Authenticator POWERSHELL ------> exploring network topology and connectivity using a customized PowerShell script

Welcome to Agustín Hernán Borrajo's cloud consulting microsite !

The main purpose of this web is to share my 20+ years of experience on Hybrid Cloud Infrastructure & Cybersecurity.
A detailed description of concrete work experiences and skills can be found in my 2025 resume.
You can explore and read my online technical articles expanding the below menu:

Programmatically create MS Entra ID User Accounts with Python enforcing MFA & MS Authenticator. 🔽

There is a way to easily bulk-create Azure Entra ID User Accounts while enforcing MFA and MS Authenticator on them.
This article is a step-by-step guide that explains how to use create_entra_id_users.py (create-entra-id-users-with-python 📑)

🔸 FIRST: We need to create an Entra ID APP registration to set Identity, Permissions and Credentials, for Python to create Entra ID Tenant Objects.

💠 IMPORTANT: Keep a copy of the above Application (client) ID and the Directory (tenant) ID. Those will be used to execute (not yet) the below:
   💻 python create_entra_id_users.py entra_id_users.csv --client-id <CLIENT_ID> --tenant-id <TENANT_ID> --client-secret <CLIENT_SECRET>

🔸 SECOND: Create a short-lived Client Secret and assign MS Graph API permissions (User.ReadWrite.All, Directoy.Read.All, Group.ReadWrite.All).

💠 IMPORTANT: Make sure the Secret Value is copied before leaving the above screen, since it will then be obscured (SECR********).

🔸 THIRD: We configure the MS Authenticator Entra ID Authentication Method Policy for the 'internalprogrammatic' group.

🔸 WRAPPING-UP : Now it is time to execute the Python script to programmatically create Entra ID Users that will use MS Authenticator to log-in.

create-entra-id-users-with-python 📑

💻 python create_entra_id_users.py entra_id_users.csv --client-id <CLIENT_ID> --tenant-id <TENANT_ID> --client-secret <CLIENT_SECRET>

🔸 FOURTH : Verify via the Azure Portal that indeed Entra ID shows the new User IDs created as members of 'internalprogrammatic'.

🔸 FIFTH : Verify that not only during the onboarding process the MS Authenticator is requested to complete the log-in cycle after Entra_ID/PSW.
💠 CLUE : Incognito Authentication can be used to test the brand new Entra ID Accounts via Entra ID Portal or Azure Portal.

🔸 SIXTH : Incognito re-authentication (from scratch) shows the below behaviour when testing the accounts via Entra ID Portal.

Linkedin reference to this article

Programmatically create MS Entra ID User Accounts with Python enforcing MFA & MS Authenticator. 🔼

This article was originally published on 2025-OCT-17 and last reviewed on 2025-OCT-17.