Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MFA for users from ou to csv file

Copper Contributor

hi i am trying to modify my mfa script to include more than the upn and if MFA is enabled and wanted to include the description and when created date from AD. unfortunately it creates the CSV files with the header but none of the fields any ideas where i am going wrong i am probably just over complicating it.

 

 

$Users = Get-ADUser -Filter * -SearchBase 'OU=test,DC=Dc,DC=net' -Properties UserPrincipalName,description,whencreated |
      Select-Object -ExpandProperty UserPrincipalName
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
Write-Host "Processing" $Users.Count "accounts..." 
foreach( $User in $Users ){
    Get-MsolUser -UserPrincipalName $User
        Select-Object -Property UserPrincipalName,
        
        $ReportLine = [PSCustomObject] @{
        User        = $_.UserPrincipalName
        Name        = $_.DisplayName
        created     = $_.whencreated
        Jobtitle  = $_.description
        MFAstatus = {$_.StrongAuthenticationRequirements.State}
                    }
                    $Report.Add($ReportLine)
                }
$Report | Select User, Name, created, Jobtitle, MFAstatus | Sort Name | Out-GridVew
$Report | Sort Name | Export-Csv -Path 'C:\Temp\UK-MFA Report.csv' -NoTypeInformation

 

 

7 Replies

Hello @robertglass

I played your script with little modifications: 

- I remove the two lines below: 

    Get-MsolUser -UserPrincipalName $User
        Select-Object -Property UserPrincipalName,

-  I changed 

        User        = $_.UserPrincipalName
        Name        = $_.DisplayName
        created     = $_.whencreated
        Jobtitle  = $_.description
        MFAstatus = {$_.StrongAuthenticationRequirements.State}

by 

        User        = $User.UserPrincipalName
        Name        = $User.DisplayName
        created     = $User.whencreated
        Jobtitle    = $User.description
        MFAstatus   = $User.StrongAuthenticationRequirements.State

 And it worked like a charm.

@thijoubertold  hi thanks for looking at this i made the changes as you suggested but still the CSV file remains empty with none of the user information written did you make any other changes. here is what i have now.

 

 

$Users = Get-ADUser -Filter * -SearchBase 'OU=test,DC=Dc,DC=net' -Properties UserPrincipalName,description,whencreated|Select-Object -ExpandProperty UserPrincipalName
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
Write-Host "Processing" $Users.Count "accounts..." 
foreach( $User in $Users ){
                   
	$ReportLine = [PSCustomObject] @{
        User        = $user.UserPrincipalName
        Name        = $user.DisplayName
        created     = $user.whencreated
        Jobtitle    = $user.description
        MFAstatus   = $user.StrongAuthenticationRequirements.State
                    }
                    $Report.Add($ReportLine)
                }
$Report | Select User, Name, created, Jobtitle, MFAstatus | Sort Name | Out-GridView
$Report | Sort Name | Export-Csv -Path 'C:\Temp\UK-MFA Report.csv' -NoTypeInformation

 

 

@robertglass At this point there is no Get-MsolUser in your script so it's not going to have any info for $User.StrongAuthenti*** properties.

 

If you want to try my script for this, it relies on MSONLINE module like your initial script already was using, so should be ready to go for you:


Get-MsolUserMFADetails.ps1

 

Here is the help section:

  
<#
    .Synopsis
    Get Azure MFA status and details for users in Azure AD.
    .Parameter UserPrincipalName
    UPN of user to query for MFA details.  Accepts pipeline input.
    .Parameter MsolUser
    MsolUser objects from Get-MsolUser. Accepts objects in the pipeline or stored as variables.
    .Parameter All
    Specifies to get and process all MsolUser's.
    .Example
    .\Get-MsolUserMFADetails.ps1 -UserPrincipalName User1@jb365.ca
    PS C:\> .\Get-MsolUserMFADetails.ps1 User1@jb365.ca
    PS C:\> "User1@jb365.ca" | .\Get-MsolUserMFADetails.ps1
    .Example
    $HQUsers = Get-MsolUser -City 'Quispamsis'
    PS C:\> .\Get-MsolUserMFADetails.ps1 -MsolUser $HQUsers
    PS C:\> .\Get-MsolUserMFADetails.ps1 $HQUsers
    PS C:\> $HQUsers | .\Get-MsolUserMFADetails.ps1
    .Example
    .\Get-MsolUserMFADetails.ps1 -All | Export-csv MsolUserMFADetails.csv
    .Outputs
    [PSCustomObject] as follows:
    UserPrincipalName      : User1@jb365.ca
    DisplayName            : User1
    MfaState               : Disabled
    DefaultMethod          : PhoneAppNotification
    ConfiguredMethods      : OneWaySMS, TwoWayVoiceMobile, PhoneAppOTP, PhoneAppNotification
    AuthenticationPhone    : +1 8005551212
    AltAuthenticationPhone :
    PhoneAppAuthMethod     : Notification, OTP
    PhoneAppDeviceName     : ONEPLUS A5010
    UserType               : Member
    ObjectId               : 04eb85e2-e0bf-490b-81d2-e5559ad35d19
#>

 

Hi @robertglass 

I just saw that you collected your users from your local AD (Get-ADUser) and not from (Get-MsolUser). 
The script below gave me the expected results. 


If you want to keep Get-ADuser, you should add a step to request the details of MFA from Azure AD / O365 with a local user. 

# $Users = Get-ADUser -Filter * -SearchBase 'OU=test,DC=Dc,DC=net' -Properties UserPrincipalName,description,whencreated|Select-Object -ExpandProperty UserPrincipalName
$Users = Get-MsolUser

$Report = [System.Collections.Generic.List[Object]]::new() # Create output file

Write-Host "Processing" $Users.Count "accounts..." 
foreach( $User in $Users ){
                   
	$ReportLine = [PSCustomObject] @{
        User        = $user.UserPrincipalName
        Name        = $user.DisplayName
        created     = $user.whencreated
        Jobtitle    = $user.description
        MFAstatus   = $user.StrongAuthenticationRequirements.State
                    }
                    $Report.Add($ReportLine)
                }

$Report | Sort User | Format-Table

# $Report | Select User, Name, created, Jobtitle, MFAstatus | Sort Name | Out-GridView
# $Report | Sort Name | Export-Csv -Path 'C:\Temp\UK-MFA Report.csv' -NoTypeInformation

 

hi thanks for this and it does work well but i really need to be able to include the description and when created attributes from AD also on this report which is not provided using the MSOLuser command alone.

i finally found a way round my issue and this is the script i ended up with thanks for peoples input it helped me figure it out.

 

below is a copy of how my script ended up and provides a csv file with the attributes i needed. hopefully sharing it will be useful to others.

 

 

$Users = Get-ADUser -Filter * -SearchBase 'OU=test,DC=Dc,DC=net' |
	Get-ADUser -Properties mail | where {$_.mail -ne $null} |
    Select-Object -ExpandProperty UserPrincipalName
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
Write-Host "Processing" $Users.Count "accounts..." 
foreach( $user in $users ){
    $msousers = Get-MsolUser -UserPrincipalName $User          
	foreach ($msouser in $msousers) {$ReportLine = [PSCustomObject] @{
        User        = $msouser.UserPrincipalName
        Name        = $msouser.DisplayName
        created     = $msouser.whencreated
        Jobtitle    = $msouser.title
        MFAstatus   = $msouser.StrongAuthenticationRequirements.State
                   } }
                    $Report.Add($ReportLine)
                }

$Report | Sort User | Export-Csv -Path 'C:\Temp\UK-MFA Report.csv' -NoTypeInformation

 

 

@robertglass I added a step line 10 and modified line 17

Is it ok for you?

 

Users = Get-ADUser -Filter * -SearchBase 'OU=test,DC=Dc,DC=net' -Properties UserPrincipalName,description,whencreated|Select-Object -ExpandProperty UserPrincipalName


$Report = [System.Collections.Generic.List[Object]]::new() # Create output file

Write-Host "Processing" $Users.Count "accounts..." 
foreach( $User in $Users ){

    # Newline
    $MsolUser = Get-MsolUser -UserPrincipalName $User.UserPrincipalName
                   
	$ReportLine = [PSCustomObject] @{
        User        = $user.UserPrincipalName
        Name        = $user.DisplayName
        created     = $user.whencreated
        Jobtitle    = $user.description
        MFAstatus   = $MsolUser.StrongAuthenticationRequirements.State
                    }
                    $Report.Add($ReportLine)
                }

$Report | Sort User | Format-Table

# $Report | Select User, Name, created, Jobtitle, MFAstatus | Sort Name | Out-GridView
# $Report | Sort Name | Export-Csv -Path 'C:\Temp\UK-MFA Report.csv' -NoTypeInformation