Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Report on users with MFA Enabled

Iron Contributor

We are not currently enforcing MFA for all users, but have sent out instructions to allow users to self-enroll in MFA (http://aka.ms/MFASetup).  Looking at the status of users who I know have enabled MFA, it still shows Disabled for them in the Multi-Factor Authentication page (https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx).

 

 

37 Replies

You can try this Msolservice PowerShell query to get users MFA Status 

Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

 

Thanks.  For whatever reason, when I ran this with -All, it didn't return the MFA Status column.  However, if I ran it with a single user or the -EnabledFilter EnabledOnly attribute, it worked.

 

Unfortunately, this shows the same as the GUI.  Users that I didn't specifically 'Enable' for MFA have gone in and set it up.  I can see via the Azure portal sign-in activity log, that they are in fact using MFA when they login (if they aren't logging in from a trusted IP), but I can't seem to find a way to display this for all users.

 

Get-MsolUser -EnabledFilter EnabledOnly | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} e
lse { "Disabled"}}}

By those URLs you are letting users configure their authentication methods, but they are not enabling MFA for their accounts. You, as an admin, will have to enable and/or enforce MFA for them.

I had thought the same thing, but users are being prompted for MFA authentication every time after configuring it (unless connecting via the office/trusted IP), even though their status for MFA is still disabled.  For now, I downloaded all of the logins into Excel and can figure out which ones are using MFA based on whether the MFA Required column is set to TRUE in any of their login attempts.

 

As an admin, I had asked for volunteers to turn on MFA multiple times and didn't get much response.  After simply sending out the URL to have them do it themselves, it appears many users took advantage of it.  

No, we just have MFA setup with a couple of trusted IP addresses.

ADFS with MFA configured?

I've run out of ideas, but for sure you need admin action to require MFA, either enabling it in Office 365/AAD, or in ADFS or a Conditional Access rule.

Maybe it is a bug, but it works.  Try it out.  I'd like it better, if it updated the status to Enabled...

best response confirmed by Damon Betlow (Iron Contributor)
Solution

No, your users are not enabling MFA for themselves by using those URLs, That's a fact. You may have some other configuration going on.

Looks like you are correct, Pablo.

 

Although the sign-in logs show that MFA was required for users who went through the MFA setup process, it is only saying that when either they were in the Office location (MFA description says that MFA requirement satisfied by token) or they were elsewhere and setup or used the Self-Service Password Reset which must use the same MFA parameters to sign in / verify their account and/or reset/unblock their account.

 

I guess I still have to ask users to be put on the MFA list and manually intervene.

Correct, you need to find out how MFA is enabled for those users

What you can do is search Azure AD audit logs for activity "Enable Strong Authentication" to find out those details

It is not approved Microsoft process to pre publish the 2fa web page for the user to fill out.  You will notice the apppassword tab is missing as when till enabled.  I have found if users prefill out this form there is a problem in the 2factor process.  I need to reset all users that pre filled out form.  The hole process of enable and auto enforce makes the 2 factor process very difficult to role out. The app password on the phone is the hardest for people to understand as well.  You have no idea how long it will take to use the new app password on the phone.  Also the tab for app passwords does not even look like a tab and is often over looked by end users.  The visibility into the whole process is a complete different experience form Duo, reports  what reports !   Microsoft = NO reports of value... with out PowerShell. 

couldn't agree more with Colin


@Colin Kness wrote:

The app password on the phone is the hardest for people to understand as well.  You have no idea how long it will take to use the new app password on the phone.  Also the tab for app passwords does not even look like a tab and is often over looked by end users.  


 

What is the difference between enabled and enforced for 

StrongAuthenticationRequirements.State

?

I can see enabled users with methods active, don´t really understand this. 

Magnus,

 

You can find the different user states for user MFA here:

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

 

The description column in each of the states describes the state.

 

However, many organizations are using Conditional Access to invoke MFA, or policy based MFA which will show the users as Disabled for user state.  This is because the user may be registered for MFA (has methods registered) but is not enforced on every authentication, and using the sign in state and policies to invoke MFA.   https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

 

Jef

 

 

It is not approved Microsoft process to pre publish the 2fa web page for the user to fill out.  You will notice the apppassword tab is missing as when till enabled.  

That is not correct. Microsoft officially says here that:

 

Once you enable the conditional access policy, users will be forced to enroll the next time they use an app protected with the policy. If you enable a policy requiring MFA for all users on all cloud apps, this action could cause headaches for your users and your helpdesk. The recommendation is to ask users to register authentication methods beforehand using the registration portal at https://aka.ms/mfasetup. Many organizations find that creating posters, table cards, and email messages helps drive adoption.

1 best response

Accepted Solutions
best response confirmed by Damon Betlow (Iron Contributor)
Solution

No, your users are not enabling MFA for themselves by using those URLs, That's a fact. You may have some other configuration going on.

View solution in original post