Share via

Users with MFA: Enabled, Disabled, Enforced

GuestGuivenchi 105 Reputation points
2023-08-09T19:25:14.8066667+00:00

I manage a Azure AD
Does anyone have a PowerShell script that can help me get all users from Azure Active directory with MFA: Enabled, Disabled, Enforced

Thanks for the help.

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,170 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,886 questions
0 comments
Accepted answer
  1. JamesTran-MSFT 36,481 Reputation points Microsoft Employee
    2023-08-16T19:00:07.4633333+00:00

    @GuestGuivenchi

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.

    Issue:

    You're looking for a PowerShell scrip that can get all users from Azure AD along with their MFA status - Enabled, Disabled, or Enforced.

    Solution:

    To resolve your issue, you were able to follow this 3rd party article detailing how to Export Office 365 users MFA status with PowerShell.

    Get-MFAReport PowerShell script:

    Write-Host "Finding Azure Active Directory Accounts..."
$Users = Get-MsolUser -All | Where-Object { $_.UserType -ne "Guest" }
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
Write-Host "Processing" $Users.Count "accounts..." 
ForEach ($User in $Users) {

    $MFADefaultMethod = ($User.StrongAuthenticationMethods | Where-Object { $_.IsDefault -eq "True" }).MethodType
    $MFAPhoneNumber = $User.StrongAuthenticationUserDetails.PhoneNumber
    $PrimarySMTP = $User.ProxyAddresses | Where-Object { $_ -clike "SMTP*" } | ForEach-Object { $_ -replace "SMTP:", "" }
    $Aliases = $User.ProxyAddresses | Where-Object { $_ -clike "smtp*" } | ForEach-Object { $_ -replace "smtp:", "" }

    If ($User.StrongAuthenticationRequirements) {
        $MFAState = $User.StrongAuthenticationRequirements.State
    }
    Else {
        $MFAState = 'Disabled'
    }

    If ($MFADefaultMethod) {
        Switch ($MFADefaultMethod) {
            "OneWaySMS" { $MFADefaultMethod = "Text code authentication phone" }
            "TwoWayVoiceMobile" { $MFADefaultMethod = "Call authentication phone" }
            "TwoWayVoiceOffice" { $MFADefaultMethod = "Call office phone" }
            "PhoneAppOTP" { $MFADefaultMethod = "Authenticator app or hardware token" }
            "PhoneAppNotification" { $MFADefaultMethod = "Microsoft authenticator app" }
        }
    }
    Else {
        $MFADefaultMethod = "Not enabled"
    }
  
    $ReportLine = [PSCustomObject] @{
        UserPrincipalName = $User.UserPrincipalName
        DisplayName       = $User.DisplayName
        MFAState          = $MFAState
        MFADefaultMethod  = $MFADefaultMethod
        MFAPhoneNumber    = $MFAPhoneNumber
        PrimarySMTP       = ($PrimarySMTP -join ',')
        Aliases           = ($Aliases -join ',')
    }
                 
    $Report.Add($ReportLine)
}

Write-Host "Report is in c:\temp\MFAUsers.csv"
$Report | Select-Object UserPrincipalName, DisplayName, MFAState, MFADefaultMethod, MFAPhoneNumber, PrimarySMTP, Aliases | Sort-Object UserPrincipalName | Out-GridView
$Report | Sort-Object UserPrincipalName | Export-CSV -Encoding UTF8 -NoTypeInformation "c:\temp\MFAUsers.csv"
    • If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Brian Zarb 1,685 Reputation points
    2023-08-09T19:40:48.45+00:00

    Something basic but should work: The script checks users based on their MFA settings: Enabled, Disabled, or Enforced.

    # First, make sure you have the AzureAD module installed.
# Install-Module -Name AzureAD

# Connect to AzureAD
Connect-AzureAD

# Fetch all users
$users = Get-AzureADUser -All $true

# Initialize empty arrays for each MFA category
$MFAEnabled = @()
$MFADisabled = @()
$MFAEnforced = @()

foreach ($user in $users) {
    $mfaState = (Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId).Count
    $strongAuthMethods = (Get-AzureADUserStrongAuthenticationMethod -ObjectId $user.ObjectId)
    $mfaEnforced = $strongAuthMethods | Where-Object { $_.MethodType -eq "phoneAppOTP" }

    if ($mfaState -eq 0) {
        $MFADisabled += $user
    } elseif ($mfaEnforced) {
        $MFAEnforced += $user
    } else {
        $MFAEnabled += $user
    }
}

# Output results
Write-Host "MFA Enabled Users:" -ForegroundColor Green
$MFAEnabled | ForEach-Object { Write-Host $_.UserPrincipalName }

Write-Host "`nMFA Disabled Users:" -ForegroundColor Yellow
$MF
  2. Rich Matheisen 45,111 Reputation points
    2023-08-09T21:20:23.3866667+00:00
  3. GuestGuivenchi 105 Reputation points
    2023-08-10T04:32:44.7266667+00:00
    0 comments