Forum Discussion
Report on users with MFA Enabled
- Feb 28, 2018
No, your users are not enabling MFA for themselves by using those URLs, That's a fact. You may have some other configuration going on.
Thanks. For whatever reason, when I ran this with -All, it didn't return the MFA Status column. However, if I ran it with a single user or the -EnabledFilter EnabledOnly attribute, it worked.
Unfortunately, this shows the same as the GUI. Users that I didn't specifically 'Enable' for MFA have gone in and set it up. I can see via the Azure portal sign-in activity log, that they are in fact using MFA when they login (if they aren't logging in from a trusted IP), but I can't seem to find a way to display this for all users.
Get-MsolUser -EnabledFilter EnabledOnly | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} e lse { "Disabled"}}}
dbetlow - Your script only works if using O365 MFA. If MFA is Azure MFA via conditional access policy only the above script doesn't return anything. I used the following to identify users that were MFA configured:
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize
- fbsPaulJan 08, 2021Copper ContributorFor anyone looking for the best response, this one by lstevenswme is the most complete one.
The 'best response' highlighted in this thread does not even address the question, but the command listed here that I am responding to will absolutely give you the answer you want (PhoneAppNotification vs SMS etc)
Just to quote it again:
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize