This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 98%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
hi there i was looking for quick one-liner or similar to retrieve a list of users within a given tenant who have MFA Enabled on the user accoutn and also to determine the users who do not . thanks
Hi @dirkdigs · Thank you for reaching out.
You can use below PowerShell command to get list of users with MFA Enabled/Disabled:
Connect-MsolService
Get-MsolUser -All | select DisplayName,BlockCredential,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 62%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKV%3C/text%3E%3C/svg%3E)
Hi @AmanpreetSingh-MSFT , Is there a way to identify the list within the GUI, instead of Powershell.? Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 50%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
From the admin panel, select users, then Active users. On top section, select Multi-factor Authentication. This list will show for whom MFA is enabled (Enforced).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 54%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hi @AmanpreetSingh-MSFT ,
Here's one I have been looking for: looking for script that identifies BOTH users who have OWA enabled and MFA is disabled. I am afraid because these queries run against—I believe—two different systems (Azure and Exchange), that is why the query is not widely available.
Thanks in advance.
You need to connect to both MSOL and ExcahngeOnline then run something like this:
Get-EXOCASMailbox | where {$.Identity -notmatch 'DiscoverySearchMailbox'} | where { $.OWAEnabled -eq 'True'} | where { (Get-MsolUser -ObjectId $_.ExternalDirectoryObjectId).StrongAuthenticationRequirements.State -eq $null } | ft DisplayName,PrimarySmtpAddress
P.S.: To install ExchangeOnline module you need to run this: Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.5
I don't know why but each time I copy the script system auto corrects it somehow to something that doesn't work!!!
Get-EXOCASMailbox | where {$.Identity -notmatch 'DiscoverySearchMailbox'} | where { $.OWAEnabled -eq 'True'} | where { (Get-MsolUser -ObjectId $_.ExternalDirectoryObjectId).StrongAuthenticationRequirements.State -eq $null } | ft DisplayName,PrimarySmtpAddress
if you see a $. please change it to $ _ . (without spaces)
Worked like a charm, and odd that you have a dollar underscore in the third where clause that didn't auto-correct.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 72%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
This is great! I am trying to put together a single script that provides ALL of these elements:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 20%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Do we have this in Azure Active Directory V2 PowerShell?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 98%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E3%3C/text%3E%3C/svg%3E)
When copying scripts, use a generic txt editor like Notepad++
The problem copying code is that ' and "" in dos, are not the same in Windows.
Windows editors use ANSI, I think and PS and other languages don't like it.
Hi,
Sorry for the late response.
From my understating you want to know who got it setup before you forcefully enable it.
If a user setups MFA the value of "StrongAuthenticationMethods" will not be null
This should help:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
sorry there were some typos:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA Ready"; E={ if( $.StrongAuthenticationMethods -ne $null){"Yes"} else { "No"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} | ft -AutoSize
Yours does not display the MFA Auth status. I think this is all depreciated because it is referencing the legacy interface where users can be enabled or disabled per user. Microsoft STILL has not fixed. I will post what is working for me
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more