Need to migrate my MFA Status script from MSol to MSGraph

Copper Contributor

Here is my current script, which no longer works due to the Run As accounts being retired. I have since worked out how to use the system-managed identity, but its not compatible with MSol and because its being deprecated, I need a long term solution with MSGraph:

# Get credential and connect to MSOnline Service 
$credential = Get-AutomationPSCredential -Name "Credential"
Connect-MsolService -Credential $null -AccountId '' -AzureEnvironment "AzureCloud"

# Retrieve a list of all users in the Azure AD tenant
$allUsers = Get-MsolUser 

# Create a list object that stores users whom have MFA disabled
$usersWithoutMFA = New-Object System.Collections.Generic.List[PSObject]

# Iterate through the list of users and check MFA status, Create object and store UPN & Full Names
foreach($user in $allUsers)
{if($user.StrongAuthenticationRequirements.Count -eq 0 -and $user.BlockCredential -eq $false){
    $usersWithoutMFA += $user.UserPrincipalName}

# Return the array of the Disabled MFA users
#Write-Output $allUsers

# Convert the array to a comma-separated string
$usersWithoutMFAString = $usersWithoutMFA -join ", "

# Return the comma-separated string of user UPNs
Write-Output $usersWithoutMFAString
1 Reply



Can anyone help me here? I've been directed to come here for assistance from here:

Presumably multiple organizations are experiencing this issue so any help would be appreciated. Please let me know if further info is required.