Forum Discussion

dbetlow's avatar
dbetlow
Iron Contributor
Feb 27, 2018
Solved

Report on users with MFA Enabled

We are not currently enforcing MFA for all users, but have sent out instructions to allow users to self-enroll in MFA (http://aka.ms/MFASetup).  Looking at the status of users who I know have enabled...
Azure Active Directory (AAD)
  • Pablo R. Ortiz's avatar
    Pablo R. Ortiz
    Feb 28, 2018

    No, your users are not enabling MFA for themselves by using those URLs, That's a fact. You may have some other configuration going on.

Manidurai Mohanamariappan's avatar
Manidurai Mohanamariappan
Iron Contributor
Feb 28, 2018

You can try this Msolservice PowerShell query to get users MFA Status 

Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

 

dbetlow's avatar
dbetlow
Iron Contributor
Feb 28, 2018

Thanks.  For whatever reason, when I ran this with -All, it didn't return the MFA Status column.  However, if I ran it with a single user or the -EnabledFilter EnabledOnly attribute, it worked.

 

Unfortunately, this shows the same as the GUI.  Users that I didn't specifically 'Enable' for MFA have gone in and set it up.  I can see via the Azure portal sign-in activity log, that they are in fact using MFA when they login (if they aren't logging in from a trusted IP), but I can't seem to find a way to display this for all users.

 

Get-MsolUser -EnabledFilter EnabledOnly | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} e
lse { "Disabled"}}}
  • lstevenswme's avatar
    lstevenswme
    Copper Contributor
    Dec 05, 2019

    dbetlow - Your script only works if using O365 MFA. If MFA is Azure MFA via conditional access policy only the above script doesn't return anything. I used the following to identify users that were MFA configured:

     

    Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize

    • fbsPaul's avatar
      fbsPaul
      Copper Contributor
      Jan 08, 2021
      For anyone looking for the best response, this one by lstevenswme is the most complete one.

      The 'best response' highlighted in this thread does not even address the question, but the command listed here that I am responding to will absolutely give you the answer you want (PhoneAppNotification vs SMS etc)

      Just to quote it again:

      Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize
  • Pablo R. Ortiz's avatar
    Pablo R. Ortiz
    Iron Contributor
    Feb 28, 2018

    By those URLs you are letting users configure their authentication methods, but they are not enabling MFA for their accounts. You, as an admin, will have to enable and/or enforce MFA for them.

    • dbetlow's avatar
      dbetlow
      Iron Contributor
      Feb 28, 2018

      I had thought the same thing, but users are being prompted for MFA authentication every time after configuring it (unless connecting via the office/trusted IP), even though their status for MFA is still disabled.  For now, I downloaded all of the logins into Excel and can figure out which ones are using MFA based on whether the MFA Required column is set to TRUE in any of their login attempts.

       

      As an admin, I had asked for volunteers to turn on MFA multiple times and didn't get much response.  After simply sending out the URL to have them do it themselves, it appears many users took advantage of it.  

Resources