Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Report Users with NO Alternative Authentication Phone

Iron Contributor

Hi All

 

Is it possible to create a report showing users with / without an Alternative Authentication Phone Number?

 

Info greatly appreciated

7 Replies

@Kevin Morgan 

 

Great article, however, nothing happens when the following command is run:

 

$Result | Where {$_.MFAStatus -ne "Disabled" -and $_.AlternativePhoneNumber -eq $null}

 

List all MFA enabled users without Alternative Authentication Phone Number

 

Any ideas?

@Kevin Morgan 

 

Hi Kevin

 

I do hope you are well.

 

Anyway, I did manage to get the following script running 

List all MFA enabled users without Alternative Authentication Phone Number

 

However the output list Users, including myself that DO actually have a 2nd auth phone.

 

Any ideas?

@Stuart King 

 

Can you run the below command (after replacing your account's UPN) to check the "AlternativePhoneNumber" is configured or not.

 

$user = Get-MsolUser -UserPrincipalName "UserName@Domain.onmicrosoft.com"
$alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
if($alternativePhoneNumber -ne $null) { 
Write-Host "AlternativePhoneNumber:" $alternativePhoneNumber -ForegroundColor Green
} Else {
Write-Host "Alternative auth phone number not configured" -ForegroundColor Red
}

Note : This script extracting 2nd auth phone number from MFA Authentication User Details, not from user's Alternative Mobile Number :  $user.AlternateMobilePhones

@Kevin Morgan 

 

Hi Kevin

 

Yes this works, it displays my alternative mob number.

 

Can this be done tenant wide?

 

Stuart

best response confirmed by Stuart King (Iron Contributor)
Solution

@Stuart King 

 

Can you try the below script to list all users without alternative auth phone number.

 

$Result=@()
$users = Get-MsolUser -All
$users | ForEach-Object {
$user = $_
$alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
if($alternativePhoneNumber -eq $null) { 
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
}
}
}
$Result | Select UserName,UserPrincipalName

Or you can try below script to list only MFA enabled users without alternative auth phone.

$Result=@()
$users = Get-MsolUser -All | Where {$_.StrongAuthenticationMethods -ne $null -or $_.StrongAuthenticationRequirements.State -ne $nul}
$users | ForEach-Object {
$user = $_
$alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
if($alternativePhoneNumber -eq $null) { 
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
}
}
}
$Result | Select UserName,UserPrincipalName

@Kevin Morgan 

 

2nd script looks good.

 

Your an absolute genius, thank you so much.

 

Marked your answer as the Best Response.

 

Have yourself a fab day.

 

Stuart

1 best response

Accepted Solutions
best response confirmed by Stuart King (Iron Contributor)
Solution

@Stuart King 

 

Can you try the below script to list all users without alternative auth phone number.

 

$Result=@()
$users = Get-MsolUser -All
$users | ForEach-Object {
$user = $_
$alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
if($alternativePhoneNumber -eq $null) { 
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
}
}
}
$Result | Select UserName,UserPrincipalName

Or you can try below script to list only MFA enabled users without alternative auth phone.

$Result=@()
$users = Get-MsolUser -All | Where {$_.StrongAuthenticationMethods -ne $null -or $_.StrongAuthenticationRequirements.State -ne $nul}
$users | ForEach-Object {
$user = $_
$alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
if($alternativePhoneNumber -eq $null) { 
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
}
}
}
$Result | Select UserName,UserPrincipalName

View solution in original post