SOLVED
Home

PowerShell to get a list of Office 365 users with MFA enabled

%3CLINGO-SUB%20id%3D%22lingo-sub-422173%22%20slang%3D%22en-US%22%3EPowerShell%20to%20get%20a%20list%20of%20Office%20365%20users%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-422173%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20report%20on%20Office%20365%20with%20MFA%20enabled.%20Found%20the%20script%20online%20and%20the%20post%20here%20to%20get%20those%20users%20using%20the%20cmdlet%20below%3A%3CBR%20%2F%3EGet-MsolUser%20-All%20%7C%20Where%20%7B%24_.StrongAuthenticationMethods%20-ne%20%24null%7D%3C%2FP%3E%3CP%3Eor%3C%2FP%3E%3CP%3E%3CSPAN%3EGet-MsolUser%20-All%20%7C%20Where%20%7B%24_.StrongAuthenticationMethods%20-like%20%22*%22%7D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHowever%20this%20is%20not%20quite%20accurate.%20I%20have%20noticed%20that%20users%20who%20don't%20have%20MFA%20enabled%2C%20but%20have%20joined%20their%20Windows%2010%20machine%20to%20Azure%20AD%20(During%20this%20process%20Microsoft%20requires%20them%20to%20put%20a%20phone%20number%20and%20verify%20before%20they%20can%20set%20a%20PIN)%2C%20have%20their%20StrongAuthenticationMethods%20property%20filled%20in.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20there%20a%20way%20to%20filter%20them%20out%20and%20find%20the%20users%20with%20truly%20MFA%20enabled%20please%3F%20Appreciate%20your%20replies.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMadhu%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-422173%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-422988%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20to%20get%20a%20list%20of%20Office%20365%20users%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-422988%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20Azure%20AD%20join%20serves%20as%20a%20form%20of%20MFA%2C%20so%20it's%20not%20that%20inaccurate.%20But%20if%20you%20only%20want%20to%20cover%20the%20%22traditional%22%20MFA%2C%20check%20the%20value%20of%20the%20%22state%22%20parameter%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E(Get-MsolUser%20-SearchString%20huku).StrongAuthenticationRequirements.State%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432731%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20to%20get%20a%20list%20of%20Office%20365%20users%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432731%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20Thank%20you%20very%20much.%20That%20is%20perfect.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Madhu Perera
Occasional Contributor

Hi Team,

 

I am trying to report on Office 365 with MFA enabled. Found the script online and the post here to get those users using the cmdlet below:
Get-MsolUser -All | Where {$_.StrongAuthenticationMethods -ne $null}

or

Get-MsolUser -All | Where {$_.StrongAuthenticationMethods -like "*"}

 

However this is not quite accurate. I have noticed that users who don't have MFA enabled, but have joined their Windows 10 machine to Azure AD (During this process Microsoft requires them to put a phone number and verify before they can set a PIN), have their StrongAuthenticationMethods property filled in. 

 

Is there a way to filter them out and find the users with truly MFA enabled please? Appreciate your replies.

 

Thank you

Madhu

2 Replies
Solution

Well, Azure AD join serves as a form of MFA, so it's not that inaccurate. But if you only want to cover the "traditional" MFA, check the value of the "state" parameter:

 

(Get-MsolUser -SearchString huku).StrongAuthenticationRequirements.State

Highlighted

@Vasil Michev  Thank you very much. That is perfect.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies