MicrosoftMicrosoftI stumbled upon this article and this script is wrong in the core of it.
There is a difference between having StrongAuthenticationMethods configured and enabling MFA. You can register an alternate email or phonenumber without MFA being enforced or enabled.
To know if a user is MFA enabled or not is stored in StrongAuthenticationRequirements their state.
f.e.:
$Req = (Get-MsolUser -UserPrincipalName $UserObject.UserPrincipalName).StrongAuthenticationRequirements
if (($Req.State -eq "Enabled") -or ($Req.State -eq "Enforced")){
Write-Host "MFA Enabled or Enforced"
}I even suspect that this bug is present in the Extension for Azure MFA v1.0.1.35 (8/17/2020) because we see the same behavior when we use the NPS extension. It sends an MFA challenge even if MFA isn't enabled/enforced.
(https://www.microsoft.com/en-us/download/details.aspx?id=54688)