Report on users with MFA Enabled


We are not currently enforcing MFA for all users, but have sent out instructions to allow users to self-enroll in MFA (  Looking at the status of users who I know have enabled MFA, it still shows Disabled for them in the Multi-Factor Authentication page (



25 Replies
We let enduser pre-enroll MFA via, but later Enable the enduser for MFA. After that, the possibilty to setup apppassword exists.
Using Conditional access will only let you force MFA for modern authentication, it doesn´t "disable" legacy authentication with apppasswords.
Or have I missunderstood this?

Disabling legacy authentication can be done with Conditional Access.

Follow these steps

  1. Create a new policy
  2. Select the users that you want this enabled on
  3. Under conditions select Client apps and only select Other clients
  4. Go to grant and select block access
  5. Save this policy

See the attached image

@Damon Betlow - Your script only works if using O365 MFA. If MFA is Azure MFA via conditional access policy only the above script doesn't return anything. I used the following to identify users that were MFA configured:


Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize

For anyone looking for the best response, this one by @lstevenswme is the most complete one.

The 'best response' highlighted in this thread does not even address the question, but the command listed here that I am responding to will absolutely give you the answer you want (PhoneAppNotification vs SMS etc)

Just to quote it again:

Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize

@Damon Betlow 

Very similar to what others have suggested, but puts an output "mfastatus.csv" CSV in C:\Temp


get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} | Export-CSV c:\temp\mfastatus.csv -noTypeInformation



I know this is an old thread but this thread came up when I was looking for the same. I am still a bit gun-shy on running powershell scripts I dont understand yet (hope to carve out time for learning powershell). So if you want to see MFA usage and methods in the 365 admin console If you go to Azure Active Directory admin center
under all services/identity/azure active directory/monitoring/Usage & insights/Authentication methods activity.
There you can see who is MFA registered or not and what methods they used.