Forum Discussion
Report Users with NO Alternative Authentication Phone
Can you try the below script to list all users without alternative auth phone number.
$Result=@() $users = Get-MsolUser -All $users | ForEach-Object { $user = $_ $alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber if($alternativePhoneNumber -eq $null) { $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName } } } $Result | Select UserName,UserPrincipalNameOr you can try below script to list only MFA enabled users without alternative auth phone.
$Result=@() $users = Get-MsolUser -All | Where {$_.StrongAuthenticationMethods -ne $null -or $_.StrongAuthenticationRequirements.State -ne $nul} $users | ForEach-Object { $user = $_ $alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber if($alternativePhoneNumber -eq $null) { $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName } } } $Result | Select UserName,UserPrincipalName
Great article, however, nothing happens when the following command is run:
$Result | Where {$_.MFAStatus -ne "Disabled" -and $_.AlternativePhoneNumber -eq $null}
List all MFA enabled users without Alternative Authentication Phone Number
Any ideas?
Hi Kevin
I do hope you are well.
Anyway, I did manage to get the following script running
List all MFA enabled users without Alternative Authentication Phone Number
However the output list Users, including myself that DO actually have a 2nd auth phone.
Any ideas?
Can you run the below command (after replacing your account's UPN) to check the "AlternativePhoneNumber" is configured or not.
$user = Get-MsolUser -UserPrincipalName "UserName@Domain.onmicrosoft.com" $alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber if($alternativePhoneNumber -ne $null) { Write-Host "AlternativePhoneNumber:" $alternativePhoneNumber -ForegroundColor Green } Else { Write-Host "Alternative auth phone number not configured" -ForegroundColor Red }Note : This script extracting 2nd auth phone number from MFA Authentication User Details, not from user's Alternative Mobile Number : $user.AlternateMobilePhones
Hi Kevin
Yes this works, it displays my alternative mob number.
Can this be done tenant wide?
Stuart
Can you try the below script to list all users without alternative auth phone number.
$Result=@() $users = Get-MsolUser -All $users | ForEach-Object { $user = $_ $alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber if($alternativePhoneNumber -eq $null) { $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName } } } $Result | Select UserName,UserPrincipalNameOr you can try below script to list only MFA enabled users without alternative auth phone.
$Result=@() $users = Get-MsolUser -All | Where {$_.StrongAuthenticationMethods -ne $null -or $_.StrongAuthenticationRequirements.State -ne $nul} $users | ForEach-Object { $user = $_ $alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber if($alternativePhoneNumber -eq $null) { $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName } } } $Result | Select UserName,UserPrincipalName