Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Report on users with MFA Enabled

Iron Contributor

We are not currently enforcing MFA for all users, but have sent out instructions to allow users to self-enroll in MFA (http://aka.ms/MFASetup).  Looking at the status of users who I know have enabled MFA, it still shows Disabled for them in the Multi-Factor Authentication page (https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx).

 

 

37 Replies
We let enduser pre-enroll MFA via https://aka.ms/mfasetup, but later Enable the enduser for MFA. After that, the possibilty to setup apppassword exists.
Using Conditional access will only let you force MFA for modern authentication, it doesn´t "disable" legacy authentication with apppasswords.
Or have I missunderstood this?

Disabling legacy authentication can be done with Conditional Access.

Follow these steps

  1. Create a new policy
  2. Select the users that you want this enabled on
  3. Under conditions select Client apps and only select Other clients
  4. Go to grant and select block access
  5. Save this policy

See the attached image

@Damon Betlow - Your script only works if using O365 MFA. If MFA is Azure MFA via conditional access policy only the above script doesn't return anything. I used the following to identify users that were MFA configured:

 

Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize

For anyone looking for the best response, this one by @lstevenswme is the most complete one.

The 'best response' highlighted in this thread does not even address the question, but the command listed here that I am responding to will absolutely give you the answer you want (PhoneAppNotification vs SMS etc)

Just to quote it again:

Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize

@Damon Betlow 

Very similar to what others have suggested, but puts an output "mfastatus.csv" CSV in C:\Temp

 

get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} | Export-CSV c:\temp\mfastatus.csv -noTypeInformation

 

 

I know this is an old thread but this thread came up when I was looking for the same. I am still a bit gun-shy on running powershell scripts I dont understand yet (hope to carve out time for learning powershell). So if you want to see MFA usage and methods in the 365 admin console If you go to Azure Active Directory admin center
https://aad.portal.azure.com/
under all services/identity/azure active directory/monitoring/Usage & insights/Authentication methods activity.
There you can see who is MFA registered or not and what methods they used.

Just in case someone needs it, if you are using conditional access and not enforcing MFA, here's something I used to get the data for those who registered for MFA.

$reportFile = "C:\temp\output.csv";
Set-Content $reportFile "First Name,Last Name,UPN,Office,MFA Methods";
$testUser = Get-MsolUser -All;
foreach ($userObj in $testUser) {
$mfaMethods = $userObj.StrongAuthenticationMethods | Select-Object -ExpandProperty MethodType;
if ($mfaMethods) {
Write-Host $userObj.UserPrincipalName" "$mfaMethods;
Add-Content $reportFile "$($userObj.FirstName),$($userObj.LastName),$($userObj.UserPrincipalName),$($userObj.Office),$($mfaMethods)";
}
else {
Write-Host $userObj.UserPrincipalName" NONE";
Add-Content $reportFile "$($userObj.FirstName),$($userObj.LastName),$($userObj.UserPrincipalName),$($userObj.Office),NONE";
}
}

@Damon Betlow 

 

Hi,

Sorry for the late response.
From my understating you wanted to know who got it setup before you forcefully enable it.

If a user setups MFA the value of "StrongAuthenticationMethods" will not be null

This should help:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $_.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

What if I want to exclude BLOCKED users from the report?
@cfizz34 Can you explain what you mean by blocked users?

Hi @Damon Betlow,

 

I would suggest using Microsoft Graph for the reports and all other scripts if plausible.

 

#Install module
install-Module Microsoft.Graph.Reports

# Or with force if you already have previous version
install-Module Microsoft.Graph.Reports -force

# Connect to graph with Reports read rights
Connect-Graph -Scopes "reports.read.all"

# Select Beta profile (the command is available only in Beta api)
Select-MgProfile -Name "beta"

# Get MFA details from users
Get-MgReportCredentialUserRegistrationDetail

 

From here you can easily export them to Json or CSV if needed.

 

Hope this helps,

@HarriJaakkonen 

 

Thanks, have missed that module. 

@AliSoufi 

cfizz3434_0-1650462456705.png

<the sign-in status can be blocked or allowed.  i want to exclude blocked users from the report

Got it. so you just need to add a filter like this: Where-Object {$_.BlockCredential -eq $false}
the whole thing would look like something like this:
Get-MsolUser -all | Where-Object {$_.BlockCredential -eq $false} | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $_.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
i'm getting this...
PS C:\temp> Get-MgReportCredentialUserRegistrationDetail
Get-MgReportCredentialUserRegistrationDetail : The term 'Get-MgReportCredentialUserRegistrationDetail' is not
recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if
a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Get-MgReportCredentialUserRegistrationDetail
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MgReportCre...istrationDetail:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
ignore...i had enable the beta option
this is perfect, thank you so much!!

this did it for me

https://lazyadmin.nl/powershell/list-office365-mfa-status-powershell/

it returns 365 MFA and CA MFA status

whilst also returning available MFA methods