Find ENABLED Users that need MFA

Copper Contributor


I am thinking maybe I am asking the wrong question...

What I want is to find with PowerShell is

  • All enabled user accounts
  • that do not have MFA turned on

I have been shocked how hard it is. 

  1. Firstly I can't use powershell 7 because connect-azuread is not supported
  2. Then, when I do get connected, the get-azureaduser does not have the MFA status
  3. Now I find the MSol commands are deprecated, and do not show the enabled status

I have found an AWESOME script that tells me ALL the users and their MFA Status (Not my script)

((Get-MsolUser -all | select DisplayName,UserPrincipalName,@{Name="MFA Status"; Expression={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}})


But I can't filter out the thousands that are not enabled

I feel I am missing something bigger here, like I am going about this the wrong way.  what am I missing???


2 Replies



Check this article out, shows you how to get status of all users, once you have that list, use excel to simply sort by true/false. Hope this helps!