Report on MFA Status with Conditional Access

Occasional Contributor

Is there any effective way to get a report of the actual MFA state of your users?

I mean, the individual MFA state as well as MFA enabled via Conditional Access.

It's easy to report on the individual MFA state. You get nice results: Enabled, Disabled, Enforced...

 

However, if MFA is enabled via Conditional Access I can't seem to find an effective way to report on them.

 

Below Powershell snippet is the closest I can get.
It will check if MFA is enabled individually. If not, it will check the "StrongAuthenticationMethods.IsDefault" attribute and report on that.

But this is not always accurate, because if the "Phone" or "Alternate Phone" are configured in the Azure user object, it will still report it here even if the user is not member of a Conditional Access policy.

 

There is a built-in Azure report for this, but it is completely incorrect. It says that, for instance, I'm not enabled for MFA even though I'm enabled for the last 6 years.

Report: https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthMethodsOverviewBlade

 

Has anyone figured this out yet?

 

 

 

 

 

$user = get-msoluser -UserPrincipalName yourUserName@contoso.com

$StrongAuthenticationMethodsresult = $user.StrongAuthenticationMethods | Select-Object MethodType, IsDefault

[PSCustomObject]@{
  UserPrincipalName             = $user.UserPrincipalName
  ObjectID                      = $user.objectid
  DisplayName                   = $user.DisplayName
  AuthEmail                     = $user.StrongAuthenticationUserDetails.Email
  AuthPhoneNumber               = $user.StrongAuthenticationUserDetails.PhoneNumber
  PhoneDeviceName               = $user.StrongAuthenticationPhoneAppDetails.DeviceName
  AuthAltPhone                  = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber

  State                         = if ($user.StrongAuthenticationRequirements.State -ne $null) { $user.StrongAuthenticationRequirements.State } elseif ( $user.StrongAuthenticationMethods.IsDefault -eq $true) { "ConditionalAccess ($(($user.StrongAuthenticationMethods| Where IsDefault -eq $True).MethodType))" } else { "Disabled" }

  PhoneAppNotification          = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }) { $true } else { $false }
  PhoneAppNotificationIsDefault = IF (  ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }).isDefault -eq "True") { $true } Else { $false }

  PhoneAppOTP                   = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTP" }) { $true } else { $false }
  PhoneAppOTPIsDefault          = IF (  ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTPIsDefault" }).isDefault -eq "True") { $true } Else { $false }

  TwoWayVoiceMobile             = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobile" }) { $true } else { $false }
  TwoWayVoiceMobileIsDefault    = IF (  ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobileIsDefault" }).isDefault -eq "True") { $true } Else { $false }

  OneWaySMS                     = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMS" }) { $true } else { $false }
  OneWaySMSIsDefault            = IF (  ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMSIsDefault" }).isDefault -eq "True") { $true } Else { $false }
}

 

 

 

 

 

8 Replies

 

@Aldin Turcinovic 

I've been using this script, it reports on users that are mfa enforced via CA policy and have a disabled mfa user state.

 

https://gallery.technet.microsoft.com/office/Export-Office-365-Users-81747c73

@n3vers 
Thanks. I already came across that script.

It basically does the same as mine.

It's not accurate.

 

If there is a Conditional Access policy, but due to some conditions a particular account is not affacted by it and he has an Authentication Phone configured, the script (like mine) will report that MFA is enabled even though it's not enforced.

 

We have a couple of these accounts in our environment.

While everything is under control here, I wanted to have a reliable report where I can look at occasionally to identify such accounts if they, for some reason, slip through.

@Aldin Turcinovic 
Did you ever find an accurate way to report on MFA as have just found our current reporting have the same issue.

Unfortunately no. Once you switch to MFA via Conditional Access you can't have a 100% accurate report.
Has anyone resolved this? Aldin, did you just accept having to manually look through everyone's account to see if MFA was enabled? Did you convert your users to an older, but seemingly better MFA setup (per-user)? Does anyone in Microsoft have a resolution to this or a reason for this, since this is the preferred Microsoft MFA method??? This is frustratingly ridiculous.

@justJustinian 
So far I've seen 2 methods used.

1. You can report on the MFA registration type, so if you have simple conditional access policies you may be able to assume coverage if they are registered.
2. I've seen some third party tools actually parse the login audit logs and report on any logins without MFA.


But no, nothing direct from MS.

@justJustinian 

The way I have resolved this is by creating a Dynamic Azure AD Group that adds all users eligible for MFA via Conditional Access (e.g. having the correct license assigned).

Then scoped the Conditional Access policy to that group.

 

Then, for the inventory, I have Powershell script using MsGraph that will chcek to see if any Authentication Method exists for all users and what method it is.

In the same script, I cross-reference these users with the Azure AD Group membership for the group that's scoped for Conditional License).

 

If user has an Authentication Method configured and is member of the group, MFA is enabled and enforced.

If user has an Authentication Method configured and not a member of the group, MFA is not enforced.

If user does not have an Authentication Method configured but is a member of the group, MFA is enabled but not yet enforced (e.g. user didn't enroll yet).

If user is not a member of the group, MFA is disabled.

 

Now this all sounds too much. And it is.

It's unbelievable that we have to do all of this to be able to report on such a basic feature.

But I really didn't see any other way to have a reliable inventory in our environment for MFA.

 

I would share the script, but it's really fully customized for our own environment and it wouldn't be usefull for you.

It does a complete inventory of all users, guests, licenses, last login, mfa, etc...

But as I've said... it's specific to our environment and it would be useless to share it with anyone.

 

The MFA part is loosely based on this script:

powershell-scripts/GetMFAStatusReport.ps1 at master · admindroid-community/powershell-scripts · GitH...

 

I took snippets of that script because it's very well written.

But if you use it as is, and add a few lines to get AAD Group membership, you would have the same.

 

I appreciate everyone's feedback. Now to get better built-in reporting, but this is great, thank you!