How to obtain a list of user accounts with admin roles and not registered for MFA?

Hello jameswonderguy,

You can use a PowerShell script to retrieve the member details of Entra ID administrator roles and generate a report. Currently, it's not possible to generate a report using the Entra ID portal GUI. The below provided PowerShell script allows you to fetch the necessary details and create the report.

# Function to parse MFA authentication method details for a specific user
function Parse-MFAAuthenticationMethodDetails 
{
    param (
        [string]$UserId
    )

    # Get MFA authentication method details for the specified user
    $MFAAuthenticationMethods = Get-MgUserAuthenticationMethod -UserId $UserId | Select-Object -ExpandProperty AdditionalProperties

    # Initialize array to store method names
    $MethodNames = @()

    # Loop through each MFA authentication method and extract method name
    foreach ($Method in $MFAAuthenticationMethods) 
    {
        $MethodName = $Method.'@odata.type' -replace '#microsoft.graph.'
        $MethodNames += $MethodName
    }

    # Join method names into a single string separated by commas
    $MethodNamesString = $MethodNames -join '; '

    # Return the method names string
    $MethodNamesString
}

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All", "AuditLog.Read.All", "RoleManagement.Read.Directory"

# Parameters
$CurrentDateTime = Get-Date -Format "yyyyMMdd-HHmmss"
$AdminRoles = Get-MgDirectoryRole

# Properties to retrieve user details
$UserProperties = @(
    'Id','DisplayName','Mail','UserType','CreatedDateTime','Department','UserPrincipalName','UserType', 'AccountEnabled', 'SignInActivity'   
)

# Initialize an array to store the results
$results = @()

# Loop through each admin role
foreach ($Role in $AdminRoles) 
{
    # Get users assigned to the current admin role
    $RoleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $Role.Id
    foreach ($Member in $RoleMembers) 
    {
        # Get user details
        $UserDetails = Get-MgUser -UserId $Member.Id -Property $UserProperties

        # Process each user detail
        foreach ($User in $UserDetails) 
        {
            # Get MFA authentication method details for the user
            $MFAAuthenticationMethodNames = Parse-MFAAuthenticationMethodDetails -UserId $User.UserPrincipalName
                        
            # Collect data
            $results += [PSCustomObject]@{
                RoleID                        = $Role.Id
                RoleDisplayName               = $Role.DisplayName
                RoleMemberDisplayName         = $User.DisplayName
                MemberUPN                     = $User.UserPrincipalName
                MemberMail                    = $User.Mail
                UserType                      = $User.UserType
                AccountEnabled                = $User.AccountEnabled
                CreatedDateTime               = $User.CreatedDateTime
                Department                    = $User.Department
                LastSuccessfulSignInDateTime  = if ($User.SignInActivity.LastSuccessfulSignInDateTime) { $User.SignInActivity.LastSuccessfulSignInDateTime } else {"null"}
                LastSignInDate                = if ($User.SignInActivity.LastSignInDateTime) { $User.SignInActivity.LastSignInDateTime } else {"null"}
                LastNonInteractiveSignInDate  = if ($User.SignInActivity.LastNonInteractiveSignInDateTime) { $User.SignInActivity.LastNonInteractiveSignInDateTime } else {"null"}
                MFARegistrationMethod         = if ($MFAAuthenticationMethodNames) { $MFAAuthenticationMethodNames } else {" Not registered for MFA "}
            }
        }
    }
}

# Export the results to CSV
$results | Export-Csv -Path "C:\Temp\EntraID_AdministratorRoleMembers_MFA_Registration_Report_$CurrentDateTime.csv" -NoTypeInformation -Force