Forum Discussion

vladislav2495's avatar
vladislav2495
Copper Contributor
Aug 30, 2023

How to identify if an user is enforced to enable MFA

Hello community, I see that there are 3 ways to enforce users to enable MFA: Enforce an user in the ActiveDirectory Enable security defaults policy Configure Conditional Access policies Is the...
identity protection
Multifactor Authentication
vladislav2495's avatar
vladislav2495
Copper Contributor
Aug 30, 2023
Thanks for your reply, but I need a different information of my users. I'd like to know if some of my users are enforced to enable MFA
elieelkarkafi's avatar
elieelkarkafi
MVP
Aug 30, 2023

vladislav2495 OK , try the below PowerShell script 

 

Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
  • vladislav2495's avatar
    vladislav2495
    Copper Contributor
    Aug 30, 2023

    The MSOnline was deprecated on June 30, 2023. Ideally, I need a long term solution. 

    • elieelkarkafi's avatar
      elieelkarkafi
      MVP
      Aug 31, 2023

      vladislav2495 MS Online module extended until March 2024 and it may be extended more than this as well. you can find also the Microsoft graph version as well. 

       

      $clientId = "YOUR_CLIENT_ID"
$clientSecret = "YOUR_CLIENT_SECRET"
$tenantId = "YOUR_TENANT_ID"

$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"
$tokenBody = @{
    client_id     = $clientId
    scope         = $scope
    client_secret = $clientSecret
    grant_type    = "client_credentials"
}

$tokenResponse = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $tokenBody
$accessToken = $tokenResponse.access_token

$usersUrl = "https://graph.microsoft.com/v1.0/users"
$users = Invoke-RestMethod -Uri $usersUrl -Headers @{ Authorization = "Bearer $accessToken" }

$users | ForEach-Object {
    $userId = $_.id
    $userPrincipalName = $_.userPrincipalName

    $mfaUserSetup = if ($_.strongAuthenticationMethods -ne $null) { "Enabled" } else { "Disabled" }

    if ($_.strongAuthenticationRequirements -ne $null) {
        $mfaAdminEnforced = $_.strongAuthenticationRequirements.state
    } else {
        $mfaAdminEnforced = "Disabled"
    }

    [PSCustomObject]@{
        DisplayName       = $_.displayName
        UserPrincipalName = $userPrincipalName
        "MFA User Setup"     = $mfaUserSetup
        "MFA Admin Enforced" = $mfaAdminEnforced
    }
}

       

      • vladislav2495's avatar
        vladislav2495
        Copper Contributor
        Aug 31, 2023

        elieelkarkafi 
        Thanks for your reply.

        strongAuthenticationMethods and strongAuthenticationRequirements fields are not available in the Graph API

Resources