Tuesday, 5 June 2018

Find and List MFA Enabled Status of Office 365 Users using Powershell

Multi-Factor Authentication (MFA) is a method of Azure AD authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. You can easily enable MFA solution for Azure AD users using Azure MFA portal. In this post, I am going to share powershell script to list office 365 users MFA status.

List Office 365 Users MFA Status:

Before proceed run the following command to connect Azure AD powershell module.
The following command lists MFA status of all the Azure AD users.
$users = Get-MsolUser -All
$users | ForEach-Object {
$user = $_
if ($user.StrongAuthenticationRequirements.State -ne $null){
$mfaStatus = $user.StrongAuthenticationRequirements.State
$mfaStatus = "Disabled" }
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
MFAStatus = $mfaStatus
$Result | Select UserName,UserPrincipalName,MFAStatus

Export 365 users MFA status to CSV file :

$Result | Select UserName,UserPrincipalName,MFAStatus |
Export-CSV "C:\\O365-Users-MFA-Status.csv" -NoTypeInformation -Encoding UTF8

List only MFA enabled users :

$Result | Where-Object {$_.MFAStatus -ne "Disabled"}



  1. Great script...one question.

    Why do you use Disabled when you populate your $Result variable?
    $Result | Where-Object {$_.MFAStatus -ne "Disabled"}

    Instead, why not use:
    $Result | Where-Object {$_.MFAStatus -eq "Enabled"}

    1. Hi Tact, because the MFAStatus can have another value "Enforced" which is equivalent to Enabled