cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to identify if an user is enforced to enable MFA

vladislav2495
Copper Contributor

‎Aug 30 2023 04:27 AM

‎Aug 30 2023 04:27 AM

How to identify if an user is enforced to enable MFA

Hello community,
I see that there are 3 ways to enforce users to enable MFA:

  1. Enforce an user in the ActiveDirectory
  2. Enable security defaults policy
  3. Configure Conditional Access policies

Is there any field on a user resource in the Graph API to identify if a user is enforced to enable MFA? 

448 Views
0 Likes
6 Replies
Reply
6 Replies
eliekarkafy

‎Aug 30 2023 04:40 AM

‎Aug 30 2023 04:40 AM

Re: How to identify if an user is enforced to enable MFA

@vladislav2495 you can enforce MFA also in case you don't have P1 license using the per user MFA 

 

you can check the MFA activities and usage from the below blade in ENTRA ID 

eliekarkafy_0-1693395630561.png

 

0 Likes
Reply
vladislav2495

‎Aug 30 2023 05:03 AM

‎Aug 30 2023 05:03 AM

Re: How to identify if an user is enforced to enable MFA

Thanks for your reply, but I need a different information of my users. I'd like to know if some of my users are enforced to enable MFA
0 Likes
Reply
eliekarkafy

‎Aug 30 2023 05:06 AM

‎Aug 30 2023 05:06 AM

Re: How to identify if an user is enforced to enable MFA

@vladislav2495 OK , try the below PowerShell script 

 

Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
0 Likes
Reply
vladislav2495

‎Aug 30 2023 05:33 AM - edited ‎Aug 30 2023 05:34 AM

‎Aug 30 2023 05:33 AM - edited ‎Aug 30 2023 05:34 AM

Re: How to identify if an user is enforced to enable MFA

The MSOnline was deprecated on June 30, 2023. Ideally, I need a long term solution. 

0 Likes
Reply
eliekarkafy

‎Aug 30 2023 10:55 PM

‎Aug 30 2023 10:55 PM

Re: How to identify if an user is enforced to enable MFA

@vladislav2495 MS Online module extended until March 2024 and it may be extended more than this as well. you can find also the Microsoft graph version as well. 

 

$clientId = "YOUR_CLIENT_ID"
$clientSecret = "YOUR_CLIENT_SECRET"
$tenantId = "YOUR_TENANT_ID"

$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"
$tokenBody = @{
    client_id     = $clientId
    scope         = $scope
    client_secret = $clientSecret
    grant_type    = "client_credentials"
}

$tokenResponse = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $tokenBody
$accessToken = $tokenResponse.access_token

$usersUrl = "https://graph.microsoft.com/v1.0/users"
$users = Invoke-RestMethod -Uri $usersUrl -Headers @{ Authorization = "Bearer $accessToken" }

$users | ForEach-Object {
    $userId = $_.id
    $userPrincipalName = $_.userPrincipalName

    $mfaUserSetup = if ($_.strongAuthenticationMethods -ne $null) { "Enabled" } else { "Disabled" }

    if ($_.strongAuthenticationRequirements -ne $null) {
        $mfaAdminEnforced = $_.strongAuthenticationRequirements.state
    } else {
        $mfaAdminEnforced = "Disabled"
    }

    [PSCustomObject]@{
        DisplayName       = $_.displayName
        UserPrincipalName = $userPrincipalName
        "MFA User Setup"     = $mfaUserSetup
        "MFA Admin Enforced" = $mfaAdminEnforced
    }
}

 

0 Likes
Reply
vladislav2495

‎Aug 31 2023 04:38 AM

‎Aug 31 2023 04:38 AM

Re: How to identify if an user is enforced to enable MFA

@eliekarkafy 
Thanks for your reply.

strongAuthenticationMethods and strongAuthenticationRequirements fields are not available in the Graph API
0 Likes
Reply