Tuesday, 5 June 2018

Find and List MFA Enabled Status of Office 365 Users using Powershell

Multi-Factor Authentication (MFA) is a method of Azure AD authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. You can easily enable MFA solution for Azure AD users using Azure MFA portal. In this post, I am going to share powershell script to list office 365 users MFA status.

List Office 365 Users MFA Status:

Before proceed run the following command to connect Azure AD powershell module.
Connect-MsolService
The following command lists MFA status of all the Azure AD users.
$Result=@() 
$users = Get-MsolUser -All
$users | ForEach-Object {
$user = $_
if ($user.StrongAuthenticationRequirements.State -ne $null){
$mfaStatus = $user.StrongAuthenticationRequirements.State
}else{
$mfaStatus = "Disabled" }
  
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
MFAStatus = $mfaStatus
}
}
$Result | Select UserName,UserPrincipalName,MFAStatus

Export 365 users MFA status to CSV file :

$Result | Select UserName,UserPrincipalName,MFAStatus |
Export-CSV "C:\\O365-Users-MFA-Status.csv" -NoTypeInformation -Encoding UTF8

List only MFA enabled users :

$Result | Where-Object {$_.MFAStatus -ne "Disabled"}

Advertisements
Advertisements

2 comments:

  1. Great script...one question.

    Why do you use Disabled when you populate your $Result variable?
    $Result | Where-Object {$_.MFAStatus -ne "Disabled"}

    Instead, why not use:
    $Result | Where-Object {$_.MFAStatus -eq "Enabled"}

    ReplyDelete
    Replies
    1. Hi Tact, because the MFAStatus can have another value "Enforced" which is equivalent to Enabled

      Delete