Forum Discussion

vladislav2495's avatar
vladislav2495
Copper Contributor
Aug 30, 2023

How to identify if an user is enforced to enable MFA

Hello community, I see that there are 3 ways to enforce users to enable MFA: Enforce an user in the ActiveDirectory Enable security defaults policy Configure Conditional Access policies Is the...
identity protection
Multifactor Authentication
eliekarkafy's avatar
eliekarkafy
MVP
Aug 30, 2023

vladislav2495 you can enforce MFA also in case you don't have P1 license using the per user MFA 

 

you can check the MFA activities and usage from the below blade in ENTRA ID 

 

vladislav2495's avatar
vladislav2495
Copper Contributor
Aug 30, 2023
Thanks for your reply, but I need a different information of my users. I'd like to know if some of my users are enforced to enable MFA
  • eliekarkafy's avatar
    eliekarkafy
    MVP
    Aug 30, 2023

    vladislav2495 OK , try the below PowerShell script 

     

    Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
    • vladislav2495's avatar
      vladislav2495
      Copper Contributor
      Aug 30, 2023

      The MSOnline was deprecated on June 30, 2023. Ideally, I need a long term solution. 

      • eliekarkafy's avatar
        eliekarkafy
        MVP
        Aug 31, 2023

        vladislav2495 MS Online module extended until March 2024 and it may be extended more than this as well. you can find also the Microsoft graph version as well. 

         

        $clientId = "YOUR_CLIENT_ID"
$clientSecret = "YOUR_CLIENT_SECRET"
$tenantId = "YOUR_TENANT_ID"

$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"
$tokenBody = @{
    client_id     = $clientId
    scope         = $scope
    client_secret = $clientSecret
    grant_type    = "client_credentials"
}

$tokenResponse = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $tokenBody
$accessToken = $tokenResponse.access_token

$usersUrl = "https://graph.microsoft.com/v1.0/users"
$users = Invoke-RestMethod -Uri $usersUrl -Headers @{ Authorization = "Bearer $accessToken" }

$users | ForEach-Object {
    $userId = $_.id
    $userPrincipalName = $_.userPrincipalName

    $mfaUserSetup = if ($_.strongAuthenticationMethods -ne $null) { "Enabled" } else { "Disabled" }

    if ($_.strongAuthenticationRequirements -ne $null) {
        $mfaAdminEnforced = $_.strongAuthenticationRequirements.state
    } else {
        $mfaAdminEnforced = "Disabled"
    }

    [PSCustomObject]@{
        DisplayName       = $_.displayName
        UserPrincipalName = $userPrincipalName
        "MFA User Setup"     = $mfaUserSetup
        "MFA Admin Enforced" = $mfaAdminEnforced
    }
}

         

Resources