Forum Discussion
Identify users not using MFA
Hi Microsoft Community,
I'd like to identify users who are authenticating to our M365 tenant without MFA.
Currently we have MFA enforced by way of Conditional Access policy applying to a group. However, I'd like to verify that all users in the tenant are authenticating with MFA as I suspect there are some users, such as 'service accounts', that do not.
If I go to Sign In Logs I can see some instances of 'Single Factor Authentication' but for accounts I know and can verify are using MFA by way of our Conditional Access policy. So it would seem like I'm overlooking something, or looking in the wrong place.
TIA
- Thanks to the replies. I found the information I was looking for in the GUI, filtered and downloaded to CSV:
Entra > Protection > Authentication Methods > User Registration Details
- Hi there !!
You can run this query in your log analytics workspace.
SigninLogs
| where ResultType == 0
| where ConditionalAccessStatus == "success" // Ensure CA policy is applied successfully
| where MfaDetail !contains "MFA" // Filter out sign-ins where MFA was used
| summarize count() by UserPrincipalName, AppDisplayName, ClientAppUsed, IPAddress, Location
| order by count_ desc
This query ensures that the Conditional Access policy was successfully applied and filters out sign-ins where MFA was used. This should help you identify users who are authenticating without MFA more accurately.
Thanks 🙂 Try this PS:
# Connect to Azure AD
Connect-AzureAD# Get all users
$users = Get-AzureADUser -All $true# Check MFA status for each user
foreach ($user in $users) {
$mfaStatus = Get-MsolUser -UserPrincipalName $user.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
if ($mfaStatus.Count -eq 0) {
Write-Output "$($user.UserPrincipalName) does not have MFA enabled."
}
}- Thanks to the replies. I found the information I was looking for in the GUI, filtered and downloaded to CSV:
Entra > Protection > Authentication Methods > User Registration Details
