Forum Discussion

pthoptho's avatar
pthoptho
Copper Contributor
Sep 18, 2024

Identify users not using MFA

Hi Microsoft Community,

 

I'd like to identify users who are authenticating to our M365 tenant without MFA.

 

Currently we have MFA enforced by way of Conditional Access policy applying to a group. However, I'd like to verify that all users in the tenant are authenticating with MFA as I suspect there are some users, such as 'service accounts', that do not.

 

If I go to Sign In Logs I can see some instances of 'Single Factor Authentication' but for accounts I know and can verify are using MFA by way of our Conditional Access policy. So it would seem like I'm overlooking something, or looking in the wrong place.

 

TIA

  • Thanks to the replies. I found the information I was looking for in the GUI, filtered and downloaded to CSV:

    Entra > Protection > Authentication Methods > User Registration Details
  • Ankit's avatar
    Ankit
    Brass Contributor
    Hi there !!

    You can run this query in your log analytics workspace.

    SigninLogs
    | where ResultType == 0
    | where ConditionalAccessStatus == "success" // Ensure CA policy is applied successfully
    | where MfaDetail !contains "MFA" // Filter out sign-ins where MFA was used
    | summarize count() by UserPrincipalName, AppDisplayName, ClientAppUsed, IPAddress, Location
    | order by count_ desc

    This query ensures that the Conditional Access policy was successfully applied and filters out sign-ins where MFA was used. This should help you identify users who are authenticating without MFA more accurately.

    Thanks 🙂
  • pthoptho 

     

    Try this PS:

     

    # Connect to Azure AD
    Connect-AzureAD

    # Get all users
    $users = Get-AzureADUser -All $true

    # Check MFA status for each user
    foreach ($user in $users) {
    $mfaStatus = Get-MsolUser -UserPrincipalName $user.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($mfaStatus.Count -eq 0) {
    Write-Output "$($user.UserPrincipalName) does not have MFA enabled."
    }
    }

  • pthoptho's avatar
    pthoptho
    Copper Contributor
    Thanks to the replies. I found the information I was looking for in the GUI, filtered and downloaded to CSV:

    Entra > Protection > Authentication Methods > User Registration Details

Resources