Tuesday, 5 June 2018

Find and List MFA Enabled Status of Office 365 Users using Powershell

Multi-Factor Authentication (MFA) is a method of Azure AD authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. You can easily enable MFA solution for Azure AD users using Azure MFA portal. In this post, I am going to share powershell script to list office 365 users MFA status.

List All Office 365 Users MFA Status:

Before proceed run the following command to connect Azure AD powershell module.
Connect-MsolService
The following command lists MFA status of all the Azure AD users.
$Result=@() 
$users = Get-MsolUser -All
$users | ForEach-Object {
$user = $_
if ($user.StrongAuthenticationRequirements.State -ne $null){
$mfaStatus = $user.StrongAuthenticationRequirements.State
}else{
$mfaStatus = "Disabled" }
  
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
MFAStatus = $mfaStatus
}
}
$Result | Select UserName,UserPrincipalName,MFAStatus

List Set of Users MFA Status from CSV:

You can use the below command if you want to check the MFA status for particular set of users (for ex: newly created users) by importing users from CSV file.Consider the csv file Office365Users.csv that has set 0365 users with the column header UserPrincipalName.
$Result=@()
# Read and Iterate CSV file
Import-Csv 'C:\Office365Users.csv' | ForEach-Object {
# Read UserPrincipalName field from CSV row
$upn = $_."UserPrincipalName"
$user = Get-MsolUser -UserPrincipalName $upn -ErrorAction SilentlyContinue
If ($user -ne $Null) {
If ($user.StrongAuthenticationRequirements.State -ne $null){
$mfaStatus = $user.StrongAuthenticationRequirements.State
} Else{ $mfaStatus = "Disabled" }
} Else
{ $mfaStatus = "User not found" }

$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $upn
MFAStatus = $mfaStatus
}
}
$Result | Select UserName,UserPrincipalName,MFAStatus

Export 365 users MFA status to CSV file :

$Result | Select UserName,UserPrincipalName,MFAStatus |
Export-CSV "C:\\O365-Users-MFA-Status.csv" -NoTypeInformation -Encoding UTF8

List only MFA enabled users :

$Result | Where-Object {$_.MFAStatus -ne "Disabled" -and $_.MFAStatus -ne "User not found"}

Advertisements
Advertisements

5 comments:

  1. Great script...one question.

    Why do you use Disabled when you populate your $Result variable?
    $Result | Where-Object {$_.MFAStatus -ne "Disabled"}

    Instead, why not use:
    $Result | Where-Object {$_.MFAStatus -eq "Enabled"}

    ReplyDelete
    Replies
    1. Hi Tact, because the MFAStatus can have another value "Enforced" which is equivalent to Enabled

      Delete
  2. why would a user’s Mfa status be showing as not set, but when I pull their Mfa settings I can see that the have setup Mfa?

    ReplyDelete
  3. Can you adapt this script to use an input csv file to list specific user's MFA status?

    ReplyDelete
    Replies
    1. Hi,

      I have added another script to check MFA status for bulk users by importing users from csv file. You can check it now

      Delete