Use EnableMfaDevice with a CLI

To enable an MFA device

After you use the create-virtual-mfa-device command to create a new virtual MFA device, you can assign the MFA device to a user. The following enable-mfa-device example assigns the MFA device with the serial number arn:aws:iam::210987654321:mfa/BobsMFADevice to the user Bob. The command also synchronizes the device with AWS by including the first two codes in sequence from the virtual MFA device.

aws iam enable-mfa-device \
    --user-name Bob \
    --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \
    --authentication-code1 123456 \
    --authentication-code2 789012

This command produces no output.

For more information, see Enabling a virtual multi-factor authentication (MFA) device in the AWS IAM User Guide.

Example 1: This command enables the hardware MFA device with the serial number 987654321098 and associates the device with the user Bob. It includes the first two codes in sequence from the device.

Enable-IAMMFADevice -UserName "Bob" -SerialNumber "987654321098" -AuthenticationCode1 "12345678" -AuthenticationCode2 "87654321"

Example 2: This example creates and enables a virtual MFA device. The first command creates the virtual device and returns the device's object representation in the variable $MFADevice. You can use the .Base32StringSeed or QRCodePng properties to configure the user's software application. The final command assigns the device to the user David, identifying the device by its serial number. The command also synchronizes the device with AWS by including the first two codes in sequence from the virtual MFA device.

$MFADevice = New-IAMVirtualMFADevice -VirtualMFADeviceName "MyMFADevice"
# see example for New-IAMVirtualMFADevice to see how to configure the software program with PNG or base32 seed code
Enable-IAMMFADevice -UserName "David" -SerialNumber -SerialNumber $MFADevice.SerialNumber -AuthenticationCode1 "24681357" -AuthenticationCode2 "13572468"