Tuesday, 5 June 2018

Find and List MFA Enabled Status of Office 365 Users using Powershell

Multi-Factor Authentication (MFA) is a method of Azure AD authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. You can easily enable MFA solution for Azure AD users using Azure MFA portal. In this post, I am going to share powershell script to list office 365 users with their MFA status and MFA related details like Verification Email, Phone Number, and Alternative Phone Number.

Before proceed run the following command to connect Azure AD powershell module.
Connect-MsolService
The below command list all MFA enabled users (Enabled either via Conditional Access or using MFA Portal).
Get-MsolUser -All | Where {$_.StrongAuthenticationMethods -ne $null -or $_.StrongAuthenticationRequirements.State -ne $nul}

List All Office 365 Users with MFA Status and MFA Details:

The following command retrieves all the Azure AD users and their MFA details.
$Result=@() 
$users = Get-MsolUser -All
$users | ForEach-Object {
$user = $_
$mfaStatus = $_.StrongAuthenticationRequirements.State 
$methodTypes = $_.StrongAuthenticationMethods 

if ($mfaStatus -ne $null -or $methodTypes -ne $null)
{
if($mfaStatus -eq $null)
{ 
$mfaStatus='Enabled (Conditional Access)' 
}
$authMethods = $methodTypes.MethodType
$defaultAuthMethod = ($methodTypes | Where{$_.IsDefault -eq "True"}).MethodType 
$verifyEmail = $user.StrongAuthenticationUserDetails.Email 
$phoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber
$alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
}
Else
{
$mfaStatus = "Disabled"
$defaultAuthMethod = $null
$verifyEmail = $null
$phoneNumber = $null
$alternativePhoneNumber = $null
}
   
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
MFAStatus = $mfaStatus
AuthenticationMethods = $authMethods
DefaultAuthMethod = $defaultAuthMethod
MFAEmail = $verifyEmail
PhoneNumber = $phoneNumber
AlternativePhoneNumber = $alternativePhoneNumber
}
}
$Result | Select UserName,MFAStatus,MFAEmail,PhoneNumber,AlternativePhoneNumber

List all MFA enabled users

$Result | Where {$_.MFAStatus -ne "Disabled"}

List all MFA enabled users without Phone Number

$Result | Where {$_.MFAStatus -ne "Disabled" -and $_.PhoneNumber -eq $null}

List all MFA enabled users without Alternative Authentication Phone Number

$Result | Where {$_.MFAStatus -ne "Disabled" -and $_.AlternativePhoneNumber -eq $null}

Export 365 users MFA status to CSV file

$Result | Export-CSV "C:\\O365-Users-MFA-Details.csv" -NoTypeInformation -Encoding UTF8

List MFA Status for set of users from CSV:

You can use the below command if you want to check the MFA status for particular set of users (for ex: newly created users) by importing users from CSV file.Consider the csv file Office365Users.csv that has set 0365 users with the column header UserPrincipalName.
$Result=@()
# Read and Iterate CSV file
Import-Csv 'C:\Office365Users.csv' | ForEach-Object {
# Read UserPrincipalName field from CSV row
$upn = $_."UserPrincipalName"
$user = Get-MsolUser -UserPrincipalName $upn -ErrorAction SilentlyContinue
$mfaStatus = $user.StrongAuthenticationRequirements.State 
$methodTypes = $user.StrongAuthenticationMethods 
 
if ($user -ne $null -and ($mfaStatus -ne $null -or $methodTypes -ne $null))
{
if($mfaStatus -eq $null)
{ 
$mfaStatus='Enabled (Conditional Access)'
}
$authMethods = $methodTypes.MethodType
$defaultAuthMethod = ($methodTypes | Where{$_.IsDefault -eq "True"}).MethodType 
$verifyEmail = $user.StrongAuthenticationUserDetails.Email 
$phoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber
$alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
}
Else
{
$mfaStatus = "Disabled"
if($user -eq $null)
{ 
$mfaStatus='User not found'
}
$defaultAuthMethod = $null
$verifyEmail = $null
$phoneNumber = $null
$alternativePhoneNumber = $null
}
    
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
MFAStatus = $mfaStatus
AuthenticationMethods = $authMethods
DefaultAuthMethod = $defaultAuthMethod
MFAEmail = $verifyEmail
PhoneNumber = $phoneNumber
AlternativePhoneNumber = $alternativePhoneNumber
}
}
$Result | Select UserName,UserPrincipalName,MFAStatus

Advertisements
Advertisements

7 comments:

  1. Great script...one question.

    Why do you use Disabled when you populate your $Result variable?
    $Result | Where-Object {$_.MFAStatus -ne "Disabled"}

    Instead, why not use:
    $Result | Where-Object {$_.MFAStatus -eq "Enabled"}

    ReplyDelete
    Replies
    1. Hi Tact, because the MFAStatus can have another value "Enforced" which is equivalent to Enabled

      Delete
  2. why would a user’s Mfa status be showing as not set, but when I pull their Mfa settings I can see that the have setup Mfa?

    ReplyDelete
  3. Can you adapt this script to use an input csv file to list specific user's MFA status?

    ReplyDelete
    Replies
    1. Hi,

      I have added another script to check MFA status for bulk users by importing users from csv file. You can check it now

      Delete
  4. Hi All,

    Very good script but Is there a way to run this for only active users?

    Thanks in Advance

    ReplyDelete
    Replies
    1. Not sure what you mean by Active Users..If you mentioned only enabled users (Sign-in access not blocked) then you can get those users using below command :

      Get-MsolUser -All | Where {$_.BlockCredential -eq $False}

      If you expect users who are actively using O365 service, then you need to first find users' last logon time by using Get-MailboxStatistics cmdlet... refer below thread :

      https://www.morgantechspace.com/2017/12/find-list-of-active-mailboxes-in-office-365-powershell.html

      Delete