Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

How to identify if an user is enforced to enable MFA

Copper Contributor

Hello community,
I see that there are 3 ways to enforce users to enable MFA:

  1. Enforce an user in the ActiveDirectory
  2. Enable security defaults policy
  3. Configure Conditional Access policies

Is there any field on a user resource in the Graph API to identify if a user is enforced to enable MFA? 

6 Replies

@vladislav2495 you can enforce MFA also in case you don't have P1 license using the per user MFA 

 

you can check the MFA activities and usage from the below blade in ENTRA ID 

eliekarkafy_0-1693395630561.png

 

Thanks for your reply, but I need a different information of my users. I'd like to know if some of my users are enforced to enable MFA

@vladislav2495 OK , try the below PowerShell script 

 

Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

The MSOnline was deprecated on June 30, 2023. Ideally, I need a long term solution. 

@vladislav2495 MS Online module extended until March 2024 and it may be extended more than this as well. you can find also the Microsoft graph version as well. 

 

$clientId = "YOUR_CLIENT_ID"
$clientSecret = "YOUR_CLIENT_SECRET"
$tenantId = "YOUR_TENANT_ID"

$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"
$tokenBody = @{
    client_id     = $clientId
    scope         = $scope
    client_secret = $clientSecret
    grant_type    = "client_credentials"
}

$tokenResponse = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $tokenBody
$accessToken = $tokenResponse.access_token

$usersUrl = "https://graph.microsoft.com/v1.0/users"
$users = Invoke-RestMethod -Uri $usersUrl -Headers @{ Authorization = "Bearer $accessToken" }

$users | ForEach-Object {
    $userId = $_.id
    $userPrincipalName = $_.userPrincipalName

    $mfaUserSetup = if ($_.strongAuthenticationMethods -ne $null) { "Enabled" } else { "Disabled" }

    if ($_.strongAuthenticationRequirements -ne $null) {
        $mfaAdminEnforced = $_.strongAuthenticationRequirements.state
    } else {
        $mfaAdminEnforced = "Disabled"
    }

    [PSCustomObject]@{
        DisplayName       = $_.displayName
        UserPrincipalName = $userPrincipalName
        "MFA User Setup"     = $mfaUserSetup
        "MFA Admin Enforced" = $mfaAdminEnforced
    }
}

 

@eliekarkafy 
Thanks for your reply.

strongAuthenticationMethods and strongAuthenticationRequirements fields are not available in the Graph API