Forum Discussion
Report on users with MFA Enabled
- Feb 28, 2018
No, your users are not enabling MFA for themselves by using those URLs, That's a fact. You may have some other configuration going on.
You can try this Msolservice PowerShell query to get users MFA Status
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
Thanks. For whatever reason, when I ran this with -All, it didn't return the MFA Status column. However, if I ran it with a single user or the -EnabledFilter EnabledOnly attribute, it worked.
Unfortunately, this shows the same as the GUI. Users that I didn't specifically 'Enable' for MFA have gone in and set it up. I can see via the Azure portal sign-in activity log, that they are in fact using MFA when they login (if they aren't logging in from a trusted IP), but I can't seem to find a way to display this for all users.
Get-MsolUser -EnabledFilter EnabledOnly | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} e lse { "Disabled"}}}
- lstevenswmeDec 05, 2019Copper Contributor
dbetlow - Your script only works if using O365 MFA. If MFA is Azure MFA via conditional access policy only the above script doesn't return anything. I used the following to identify users that were MFA configured:
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize
- fbsPaulJan 08, 2021Copper ContributorFor anyone looking for the best response, this one by lstevenswme is the most complete one.
The 'best response' highlighted in this thread does not even address the question, but the command listed here that I am responding to will absolutely give you the answer you want (PhoneAppNotification vs SMS etc)
Just to quote it again:
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize
- Pablo R. OrtizFeb 28, 2018Iron Contributor
By those URLs you are letting users configure their authentication methods, but they are not enabling MFA for their accounts. You, as an admin, will have to enable and/or enforce MFA for them.
- dbetlowFeb 28, 2018Iron Contributor
I had thought the same thing, but users are being prompted for MFA authentication every time after configuring it (unless connecting via the office/trusted IP), even though their status for MFA is still disabled. For now, I downloaded all of the logins into Excel and can figure out which ones are using MFA based on whether the MFA Required column is set to TRUE in any of their login attempts.
As an admin, I had asked for volunteers to turn on MFA multiple times and didn't get much response. After simply sending out the URL to have them do it themselves, it appears many users took advantage of it.
- Pablo R. OrtizFeb 28, 2018Iron Contributor
Do you have any Conditional Access rule enabled?
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies