hi there i was looking for quick one-liner or similar to retrieve a list of users within a given tenant who have MFA Enabled on the user accoutn and also to determine the users who do not . thanks
hi there i was looking for quick one-liner or similar to retrieve a list of users within a given tenant who have MFA Enabled on the user accoutn and also to determine the users who do not . thanks
Hi @JasonGodfrey-5248 · Thank you for reaching out.
You can use below PowerShell command to get list of users with MFA Enabled/Disabled:
Connect-MsolService
Get-MsolUser -All | select DisplayName,BlockCredential,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi @amanpreetsingh-msft , Is there a way to identify the list within the GUI, instead of Powershell.? Thanks
From the admin panel, select users, then Active users. On top section, select Multi-factor Authentication. This list will show for whom MFA is enabled (Enforced).
Here's one I have been looking for: looking for script that identifies BOTH users who have OWA enabled and MFA is disabled. I am afraid because these queries run against—I believe—two different systems (Azure and Exchange), that is why the query is not widely available.
Thanks in advance.
You need to connect to both MSOL and ExcahngeOnline then run something like this:
Get-EXOCASMailbox | where {$.Identity -notmatch 'DiscoverySearchMailbox'} | where { $.OWAEnabled -eq 'True'} | where { (Get-MsolUser -ObjectId $_.ExternalDirectoryObjectId).StrongAuthenticationRequirements.State -eq $null } | ft DisplayName,PrimarySmtpAddress
P.S.: To install ExchangeOnline module you need to run this: Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.5
I don't know why but each time I copy the script system auto corrects it somehow to something that doesn't work!!!
Get-EXOCASMailbox | where {$.Identity -notmatch 'DiscoverySearchMailbox'} | where { $.OWAEnabled -eq 'True'} | where { (Get-MsolUser -ObjectId $_.ExternalDirectoryObjectId).StrongAuthenticationRequirements.State -eq $null } | ft DisplayName,PrimarySmtpAddress
if you see a $. please change it to $ _ . (without spaces)
Hi,
Sorry for the late response.
From my understating you want to know who got it setup before you forcefully enable it.
If a user setups MFA the value of "StrongAuthenticationMethods" will not be null
This should help:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
sorry there were some typos:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA Ready"; E={ if( $.StrongAuthenticationMethods -ne $null){"Yes"} else { "No"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} | ft -AutoSize
26 people are following this question.