Forum Discussion

jameswonderguy's avatar
jameswonderguy
Copper Contributor
Mar 26, 2024

How to obtain a list of user accounts with admin roles and not registered for MFA?

Hi,

 

In order to address the secure score remediation "Ensure multifactor authentication is enabled for all users in administrative roles", it needs to be found out which user accounts with admin roles are "MFA capable" but have "not registered" for MFA.

 

Since this is an extremely common and a must-have setting, I would imagine the options readily available somewhere but I cannot find them. Is there any page within the Entra ID portal that can be used to export such a list of user accounts?

 

 

Thanks

James

identity and access management
microsoft entra

2 Replies

Sort By
  • tlakshmanan's avatar
    tlakshmanan
    Copper Contributor
    Mar 27, 2024

    Hello jameswonderguy,

     

    You can use a PowerShell script to retrieve the member details of Entra ID administrator roles and generate a report. Currently, it's not possible to generate a report using the Entra ID portal GUI. The below provided PowerShell script allows you to fetch the necessary details and create the report.

     

    # Function to parse MFA authentication method details for a specific user
function Parse-MFAAuthenticationMethodDetails 
{
    param (
        [string]$UserId
    )

    # Get MFA authentication method details for the specified user
    $MFAAuthenticationMethods = Get-MgUserAuthenticationMethod -UserId $UserId | Select-Object -ExpandProperty AdditionalProperties

    # Initialize array to store method names
    $MethodNames = @()

    # Loop through each MFA authentication method and extract method name
    foreach ($Method in $MFAAuthenticationMethods) 
    {
        $MethodName = $Method.'@odata.type' -replace '#microsoft.graph.'
        $MethodNames += $MethodName
    }

    # Join method names into a single string separated by commas
    $MethodNamesString = $MethodNames -join '; '

    # Return the method names string
    $MethodNamesString
}

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All", "AuditLog.Read.All", "RoleManagement.Read.Directory"

# Parameters
$CurrentDateTime = Get-Date -Format "yyyyMMdd-HHmmss"
$AdminRoles = Get-MgDirectoryRole

# Properties to retrieve user details
$UserProperties = @(
    'Id','DisplayName','Mail','UserType','CreatedDateTime','Department','UserPrincipalName','UserType', 'AccountEnabled', 'SignInActivity'   
)

# Initialize an array to store the results
$results = @()

# Loop through each admin role
foreach ($Role in $AdminRoles) 
{
    # Get users assigned to the current admin role
    $RoleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $Role.Id
    foreach ($Member in $RoleMembers) 
    {
        # Get user details
        $UserDetails = Get-MgUser -UserId $Member.Id -Property $UserProperties

        # Process each user detail
        foreach ($User in $UserDetails) 
        {
            # Get MFA authentication method details for the user
            $MFAAuthenticationMethodNames = Parse-MFAAuthenticationMethodDetails -UserId $User.UserPrincipalName
                        
            # Collect data
            $results += [PSCustomObject]@{
                RoleID                        = $Role.Id
                RoleDisplayName               = $Role.DisplayName
                RoleMemberDisplayName         = $User.DisplayName
                MemberUPN                     = $User.UserPrincipalName
                MemberMail                    = $User.Mail
                UserType                      = $User.UserType
                AccountEnabled                = $User.AccountEnabled
                CreatedDateTime               = $User.CreatedDateTime
                Department                    = $User.Department
                LastSuccessfulSignInDateTime  = if ($User.SignInActivity.LastSuccessfulSignInDateTime) { $User.SignInActivity.LastSuccessfulSignInDateTime } else {"null"}
                LastSignInDate                = if ($User.SignInActivity.LastSignInDateTime) { $User.SignInActivity.LastSignInDateTime } else {"null"}
                LastNonInteractiveSignInDate  = if ($User.SignInActivity.LastNonInteractiveSignInDateTime) { $User.SignInActivity.LastNonInteractiveSignInDateTime } else {"null"}
                MFARegistrationMethod         = if ($MFAAuthenticationMethodNames) { $MFAAuthenticationMethodNames } else {" Not registered for MFA "}
            }
        }
    }
}

# Export the results to CSV
$results | Export-Csv -Path "C:\Temp\EntraID_AdministratorRoleMembers_MFA_Registration_Report_$CurrentDateTime.csv" -NoTypeInformation -Force

     

  • Temitope_Victoria's avatar
    Temitope_Victoria
    Copper Contributor
    Mar 27, 2024

    Hi jameswonderguy,

     

    @Temitope_Victoria

    I am an Independent advisor answer questions about Identity.
    To find the list of users with admin roles not registered for MFA, follow these steps:

    1. Sign in to the Microsoft Entra admin center as a Global Administrator.
    2. Select Microsoft Entra ID.
    3. Navigate to Users > All users > Per-User MFA.
    4. With it, you can sort the admin roles and see the MFA Status.





    If you find this information helpful, please mark it as best response which will assist others with the same question.

    /Temitope Victoria
    #temitopevictoriacompany

Resources