question

JasonGodfrey-5248 avatar image
0 Votes"
JasonGodfrey-5248 asked Benji-3111 commented

check which users have registered for MFA

hi there i was looking for quick one-liner or similar to retrieve a list of users within a given tenant who have MFA Enabled on the user accoutn and also to determine the users who do not . thanks

azure-active-directoryoffice-exchange-online-itprooffice-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered Benji-3111 commented

Hi @JasonGodfrey-5248 · Thank you for reaching out.

You can use below PowerShell command to get list of users with MFA Enabled/Disabled:

 Connect-MsolService
 Get-MsolUser -All | select DisplayName,BlockCredential,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft , Is there a way to identify the list within the GUI, instead of Powershell.? Thanks

0 Votes 0 ·

From the admin panel, select users, then Active users. On top section, select Multi-factor Authentication. This list will show for whom MFA is enabled (Enforced).

0 Votes 0 ·

Hi @amanpreetsingh-msft,

Here's one I have been looking for: looking for script that identifies BOTH users who have OWA enabled and MFA is disabled. I am afraid because these queries run against—I believe—two different systems (Azure and Exchange), that is why the query is not widely available.

Thanks in advance.

0 Votes 0 ·

You need to connect to both MSOL and ExcahngeOnline then run something like this:

Get-EXOCASMailbox | where {$.Identity -notmatch 'DiscoverySearchMailbox'} | where { $.OWAEnabled -eq 'True'} | where { (Get-MsolUser -ObjectId $_.ExternalDirectoryObjectId).StrongAuthenticationRequirements.State -eq $null } | ft DisplayName,PrimarySmtpAddress


P.S.: To install ExchangeOnline module you need to run this: Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.5

0 Votes 0 ·

I don't know why but each time I copy the script system auto corrects it somehow to something that doesn't work!!!
Get-EXOCASMailbox | where {$.Identity -notmatch 'DiscoverySearchMailbox'} | where { $.OWAEnabled -eq 'True'} | where { (Get-MsolUser -ObjectId $_.ExternalDirectoryObjectId).StrongAuthenticationRequirements.State -eq $null } | ft DisplayName,PrimarySmtpAddress

if you see a $. please change it to $ _ . (without spaces)

1 Vote 1 ·
Show more comments
AliSoufi-0422 avatar image
0 Votes"
AliSoufi-0422 answered AliSoufi-0422 commented

Hi,

Sorry for the late response.
From my understating you want to know who got it setup before you forcefully enable it.

If a user setups MFA the value of "StrongAuthenticationMethods" will not be null

This should help:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sorry there were some typos:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA Ready"; E={ if( $.StrongAuthenticationMethods -ne $null){"Yes"} else { "No"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} | ft -AutoSize

0 Votes 0 ·