Forum Discussion

ABaerst's avatar
ABaerst
Brass Contributor
Feb 13, 2018
Solved

Powershell CMDlets for MFA Settings?

Does anyone know if there are Powershell Cmdlets available to allow inspection of a user's MFA settings related to which verification options were configured and which option is considered primary? I...
Azure Active Directory (AAD)
Identity Management
microsoft 365
  • Pablo R. Ortiz's avatar
    Pablo R. Ortiz
    Feb 13, 2018

    You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

    Connect-MsolService
$User = Get-MSolUser -UserPrincipalName user@domain.com
    $User.StrongAuthenticationMethods

    With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

Pablo R. Ortiz's avatar
Pablo R. Ortiz
Steel Contributor
Feb 13, 2018

You have the information in the Get-MSolUser cmdlet from MSOnline powershell module:

Connect-MsolService
$User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethods

With that you get the default authentication method. There are other properties beginning by StrongAuthentication that give you other details

Indira1390's avatar
Indira1390
Copper Contributor
Jan 09, 2020

Can someone help me to export the strong authentication details to a csv file from Azure AD for some users provided through input file.

 

Thanks in advance

  • SudhishSkumar's avatar
    SudhishSkumar
    Copper Contributor
    May 11, 2020

    Indira1390 

    I am using below logic to extract user MFA details and default method configured., We use combined registration SSPR +MFA.

     

    #Define global variable
    $Results = New-Object System.Collections.ArrayList
    # Get User list from a text file, expect user name as UserPricipalName
    $Userlist = get-content d:\users.txt
    Write-host "Total $(($Userlist).count) users"
    #Checking each user Strong Authentication Method
    $Userlist | foreach {
    Write-host "Checking user: $($_) MFA status....."
    $User = get-msoluser -UserPrincipalName $_
    $UserStrongDetails = $User.StrongAuthenticationMethods
    $UserStrongDetailsCount =$User.StrongAuthenticationMethods.count

    If($UserStrongDetails){
    For ($i=0; $i-lt $UserStrongDetailsCount; $i++) {if(($UserStrongDetails[$i].IsDefault) -eq $true) {
    $DefaultMethod =$null
    $DefaultMethod = $UserStrongDetails[$i].MethodType
    break }
    }


    $Preresult =@{
    'AAD-DisplayName' = $user.DisplayName
    'AAD-UserPrincipalName' = $user.UserPrincipalName
    'AAD-UsageLocation' = $user.UsageLocation
    'AAD-MobilePhone' = $user.MobilePhone
    'AAD-OfficePhoneNumber' = $user.PhoneNumber
    'MFA-Mobile' = $user.StrongAuthenticationUserDetails.PhoneNumber
    'MFA-AlternativePhoneNumber' = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
    'MFA-Email' = $user.StrongAuthenticationUserDetails.Email
    'MFA-DefaultMethod' = $DefaultMethod
    }
    }
    else
    {
    $DefaultMethod =$null
    $Preresult = @{
    'AAD-DisplayName' = $user.DisplayName
    'AAD-UserPrincipalName' = $user.UserPrincipalName
    'AAD-UsageLocation' = $user.UsageLocation
    'AAD-MobilePhone' = $user.MobilePhone
    'AAD-OfficePhoneNumber' = $user.PhoneNumber
    'MFA-Mobile' = "Not-Defined"
    'MFA-AlternativePhoneNumber' = "Not-Defined"
    'MFA-Email' = "Not-Defined"
    'MFA-DefaultMethod' = "Not-Defined"
    }

    }

    $Results += New-Object -TypeName PSObject -Property $Preresult
    }

    $Results | Select-Object AAD-DisplayName,AAD-UserPrincipalName,AAD-UsageLocation,AAD-MobilePhone,AAD-OfficePhoneNumber,MFA-Mobile,MFA-AlternativePhoneNumber,MFA-Email,MFA-DefaultMethod | Export-Csv -notypeinformation -Path "d:\AzureMFAUserDetails.csv"

     

    _Sudhish Kumar

    • Malik0147's avatar
      Malik0147
      Copper Contributor
      Jun 21, 2020
      SudhishSkumar, what details will this spit out? Please let me know, I'm trying to extract Users phone numbers they used in registering MFA. I found the same number on 2 different profiles, so i need to do an audit to see how many profiles like this do I have out there.

      Thanks
    • fborup's avatar
      fborup
      Copper Contributor
      May 18, 2020

      SudhishSkumar 

       

      What i´m trying to do is more simples, but i´m unable to do:

       

      1) Read UPNs form a textFile or csv, one UPN per line

      2) set Auth methods

      I´m trying this one, but it does nothing:

       

      $listacsv = import-csv c:\temp\list.txt
      foreach($upn in $listacsv) {
      $method1 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
      $method1.IsDefault = $true
      $method1.MethodType = "PhoneAppNotification"
      $method2 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
      $method2.IsDefault = $false
      $method2.MethodType = "TwoWayVoiceMobile"
      $methods = @($method1, $method2)
       Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationMethods $methods
      }

       

      But insted of the sinple UPN, the returns is:

      @{testuser@MYdomain.com}

       

       

  • Gary Long's avatar
    Gary Long
    Copper Contributor
    Mar 20, 2020

    Indira1390 You first have to create your input user list using something like this:

    Get-MsolUser -EnabledFilter EnabledOnly -All | Export-csv "C:\downloads\userlist.csv"

    Then, you can create the MFA details for each user:

    $filepath1 = import-csv "C:\downloads\userlist.csv"
    $filepath2 = 'C:\downloads\MFA-Results.csv'
    ForEach ($item in $filepath1)
    {
    $user = $item.("UserPrincipalName")
    Get-MsolUser -UserPrincipalName $user | Where {$_.UserPrincipalName} | Select UserPrincipalName, DisplayName, Country, Department, Title, @{n="MFA"; e={$_.StrongAuthenticationRequirements.State}}, @{n="Methods"; e={($_.StrongAuthenticationMethods).MethodType}}, @{n="Default Method"; e={($_.StrongAuthenticationMethods).IsDefault}} | Export-Csv -Path $filepath2 -Append 
    }

     

Resources