Forum Discussion
Report on users with MFA Enabled
We are not currently enforcing MFA for all users, but have sent out instructions to allow users to self-enroll in MFA (http://aka.ms/MFASetup). Looking at the status of users who I know have enabled MFA, it still shows Disabled for them in the Multi-Factor Authentication page (https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx).
No, your users are not enabling MFA for themselves by using those URLs, That's a fact. You may have some other configuration going on.
It is not approved Microsoft process to pre publish the 2fa web page for the user to fill out. You will notice the apppassword tab is missing as when till enabled. I have found if users prefill out this form there is a problem in the 2factor process. I need to reset all users that pre filled out form. The hole process of enable and auto enforce makes the 2 factor process very difficult to role out. The app password on the phone is the hardest for people to understand as well. You have no idea how long it will take to use the new app password on the phone. Also the tab for app passwords does not even look like a tab and is often over looked by end users. The visibility into the whole process is a complete different experience form Duo, reports what reports ! Microsoft = NO reports of value... with out PowerShell.
couldn't agree more with Colin
Colin Kness wrote:The app password on the phone is the hardest for people to understand as well. You have no idea how long it will take to use the new app password on the phone. Also the tab for app passwords does not even look like a tab and is often over looked by end users.
What is the difference between enabled and enforced for
StrongAuthenticationRequirements.State
?
I can see enabled users with methods active, don´t really understand this.
It is not approved Microsoft process to pre publish the 2fa web page for the user to fill out. You will notice the apppassword tab is missing as when till enabled.
That is not correct. Microsoft officially says here that:
Once you enable the conditional access policy, users will be forced to enroll the next time they use an app protected with the policy. If you enable a policy requiring MFA for all users on all cloud apps, this action could cause headaches for your users and your helpdesk. The recommendation is to ask users to register authentication methods beforehand using the registration portal at https://aka.ms/mfasetup. Many organizations find that creating posters, table cards, and email messages helps drive adoption.
- We let enduser pre-enroll MFA via https://aka.ms/mfasetup, but later Enable the enduser for MFA. After that, the possibilty to setup apppassword exists.
Using Conditional access will only let you force MFA for modern authentication, it doesn´t "disable" legacy authentication with apppasswords.
Or have I missunderstood this?
Very similar to what others have suggested, but puts an output "mfastatus.csv" CSV in C:\Temp
get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} | Export-CSV c:\temp\mfastatus.csv -noTypeInformation
Just in case someone needs it, if you are using conditional access and not enforcing MFA, here's something I used to get the data for those who registered for MFA.
$reportFile = "C:\temp\output.csv";
Set-Content $reportFile "First Name,Last Name,UPN,Office,MFA Methods";
$testUser = Get-MsolUser -All;
foreach ($userObj in $testUser) {
$mfaMethods = $userObj.StrongAuthenticationMethods | Select-Object -ExpandProperty MethodType;
if ($mfaMethods) {
Write-Host $userObj.UserPrincipalName" "$mfaMethods;
Add-Content $reportFile "$($userObj.FirstName),$($userObj.LastName),$($userObj.UserPrincipalName),$($userObj.Office),$($mfaMethods)";
}
else {
Write-Host $userObj.UserPrincipalName" NONE";
Add-Content $reportFile "$($userObj.FirstName),$($userObj.LastName),$($userObj.UserPrincipalName),$($userObj.Office),NONE";
}
}You can try this Msolservice PowerShell query to get users MFA Status
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}Thanks. For whatever reason, when I ran this with -All, it didn't return the MFA Status column. However, if I ran it with a single user or the -EnabledFilter EnabledOnly attribute, it worked.
Unfortunately, this shows the same as the GUI. Users that I didn't specifically 'Enable' for MFA have gone in and set it up. I can see via the Azure portal sign-in activity log, that they are in fact using MFA when they login (if they aren't logging in from a trusted IP), but I can't seem to find a way to display this for all users.
Get-MsolUser -EnabledFilter EnabledOnly | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} e lse { "Disabled"}}}dbetlow - Your script only works if using O365 MFA. If MFA is Azure MFA via conditional access policy only the above script doesn't return anything. I used the following to identify users that were MFA configured:
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Disabled"}}} |FT -AutoSize
- I know this is an old thread but this thread came up when I was looking for the same. I am still a bit gun-shy on running powershell scripts I dont understand yet (hope to carve out time for learning powershell). So if you want to see MFA usage and methods in the 365 admin console If you go to Azure Active Directory admin center
https://aad.portal.azure.com/
under all services/identity/azure active directory/monitoring/Usage & insights/Authentication methods activity.
There you can see who is MFA registered or not and what methods they used. Hi,
Sorry for the late response.
From my understating you wanted to know who got it setup before you forcefully enable it.If a user setups MFA the value of "StrongAuthenticationMethods" will not be null
This should help:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $_.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}Hi dbetlow,
I would suggest using Microsoft Graph for the reports and all other scripts if plausible.
#Install module install-Module Microsoft.Graph.Reports # Or with force if you already have previous version install-Module Microsoft.Graph.Reports -force # Connect to graph with Reports read rights Connect-Graph -Scopes "reports.read.all" # Select Beta profile (the command is available only in Beta api) Select-MgProfile -Name "beta" # Get MFA details from users Get-MgReportCredentialUserRegistrationDetailFrom here you can easily export them to Json or CSV if needed.
Hope this helps,
- i'm getting this...
PS C:\temp> Get-MgReportCredentialUserRegistrationDetail
Get-MgReportCredentialUserRegistrationDetail : The term 'Get-MgReportCredentialUserRegistrationDetail' is not
recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if
a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Get-MgReportCredentialUserRegistrationDetail
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MgReportCre...istrationDetail:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException- ignore...i had enable the beta option
