Feb 27 2018
08:35 AM
- last edited on
Jan 14 2022
05:26 PM
by
TechCommunityAP
Feb 27 2018
08:35 AM
- last edited on
Jan 14 2022
05:26 PM
by
TechCommunityAP
We are not currently enforcing MFA for all users, but have sent out instructions to allow users to self-enroll in MFA (http://aka.ms/MFASetup). Looking at the status of users who I know have enabled MFA, it still shows Disabled for them in the Multi-Factor Authentication page (https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx).
Nov 29 2018 07:19 AM
Dec 09 2018 06:18 AM
Disabling legacy authentication can be done with Conditional Access.
Follow these steps
See the attached image
Dec 05 2019 12:53 PM
@Damon Betlow - Your script only works if using O365 MFA. If MFA is Azure MFA via conditional access policy only the above script doesn't return anything. I used the following to identify users that were MFA configured:
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize
Jan 08 2021 01:43 PM
Mar 16 2021 12:53 PM
Very similar to what others have suggested, but puts an output "mfastatus.csv" CSV in C:\Temp
get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} | Export-CSV c:\temp\mfastatus.csv -noTypeInformation
Aug 12 2021 08:28 AM
Jan 30 2022 07:30 PM - edited Jan 30 2022 07:31 PM
Just in case someone needs it, if you are using conditional access and not enforcing MFA, here's something I used to get the data for those who registered for MFA.
$reportFile = "C:\temp\output.csv";
Set-Content $reportFile "First Name,Last Name,UPN,Office,MFA Methods";
$testUser = Get-MsolUser -All;
foreach ($userObj in $testUser) {
$mfaMethods = $userObj.StrongAuthenticationMethods | Select-Object -ExpandProperty MethodType;
if ($mfaMethods) {
Write-Host $userObj.UserPrincipalName" "$mfaMethods;
Add-Content $reportFile "$($userObj.FirstName),$($userObj.LastName),$($userObj.UserPrincipalName),$($userObj.Office),$($mfaMethods)";
}
else {
Write-Host $userObj.UserPrincipalName" NONE";
Add-Content $reportFile "$($userObj.FirstName),$($userObj.LastName),$($userObj.UserPrincipalName),$($userObj.Office),NONE";
}
}
Mar 11 2022 01:45 PM
Hi,
Sorry for the late response.
From my understating you wanted to know who got it setup before you forcefully enable it.
If a user setups MFA the value of "StrongAuthenticationMethods" will not be null
This should help:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $_.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
Apr 19 2022 07:25 AM
Apr 19 2022 07:32 AM
Apr 19 2022 10:31 PM
Hi @Damon Betlow,
I would suggest using Microsoft Graph for the reports and all other scripts if plausible.
#Install module
install-Module Microsoft.Graph.Reports
# Or with force if you already have previous version
install-Module Microsoft.Graph.Reports -force
# Connect to graph with Reports read rights
Connect-Graph -Scopes "reports.read.all"
# Select Beta profile (the command is available only in Beta api)
Select-MgProfile -Name "beta"
# Get MFA details from users
Get-MgReportCredentialUserRegistrationDetail
From here you can easily export them to Json or CSV if needed.
Hope this helps,
Apr 19 2022 11:27 PM
Apr 20 2022 06:48 AM
<the sign-in status can be blocked or allowed. i want to exclude blocked users from the report
Apr 20 2022 06:57 AM
Apr 20 2022 07:07 AM
Feb 14 2023 02:51 AM
this did it for me
https://lazyadmin.nl/powershell/list-office365-mfa-status-powershell/
it returns 365 MFA and CA MFA status
whilst also returning available MFA methods