In this guide, you will learn how to get the MFA status of Office 365 users with PowerShell.
I’ll show you how to get MFA status for a single and a list of users.
In addition, I’ll show you how to export Office 365 MFA status report to CSV.
Let’s get started.
Get MFA Status with PowerShell Requirments
The examples in this guide use the Microsoft Graph module to check the MFA status for Office 365 users. You will need to have the Graph module installed.
The Get-MGUser cmdlet is used to get single and all users from your Office 365 tenant.
The Get-MGUserAuthenticationMethod cmdlet is used to get the MFA authentication methods for each user.
Important
The PowerShell commands report the authentication method registered for each user, this is how the MFA status is determined. Unfortunately, Microsoft does not provide a command that simply says if an account has MFA enabled or not, it has to be calculated.
When passwordAuthenticationMethod is the only authentication method listed this means the user does not have MFA enabled. The script I provide below will check the authentication methods and create an MFA Status field (Enabled or Disabled).
Example 1. Get MFA Status Office 365 for a Single User
To check the MFA status of a single user is very easy, you don’t need a bloated script for this.
Step 1. Connect to Microsoft Graph
Before you can get Office 365 Users and check the MFA status you first need to connect to Microsoft Graph.
The below command will permit you to read the full set of Azure user profile properties.
Connect-MgGraph -Scopes "User.Read.All"You will be prompted to sign in with your account.
When you have authenticated PowerShell should display “Welcome to Microsoft Graph!”
Step 2. Run the Get-MGUserAuthenticationMethod cmdlet
Run the below command to get the MFA status for a single user.
Get-MGUserAuthenticationMethod -userid abbie.peters@activedirectorypro.com | flIn this example, I’m checking the MFA status for the user abbie.peters@activedirectorypro.com.
The authentication method of microsoft.graph.passwordAuthenticationMethod is the only method listed, this means MFA is not enabled for this user.
Now I’ll check the authentication methods for my account.
In the screenshot above, you can see my account returns multiple authentication methods, this means my account has MFA enabled.
It gets much more complicated when checking all users, the good news is I’ve created a script you can use.
Example 2. MFA Status Office 365 Report for All Users PowerShell
You can copy the script below or download the MFAStatusReport.ps1 PowerShell script.
By default, the script will get the MFA status for all users. I’ll show you how to change it to check the status of a list of users.
Note: Depending on how many users you have in your tenant the script can take several minutes to complete.
<#
=============================================================================================
Name: Get MFA Status Report
Description: Gets MFA status for all users and authentication methods
Version: 1.0
Website: activedirectorypro.com
Script by: activedirectorypro.com
Instructions: https://activedirectorypro.com/mfa-status-powershell
============================================================================================
#>
#Get all Azure users
$users = get-mguser -All
$results=@();
Write-Host "`nRetreived $($users.Count) users";
#loop through each user account
foreach ($user in $users) {
Write-Host "`n$($user.UserPrincipalName)";
$myObject = [PSCustomObject]@{
user = "-"
MFAstatus = "_"
email = "-"
fido2 = "-"
app = "-"
password = "-"
phone = "-"
softwareoath = "-"
tempaccess = "-"
hellobusiness = "-"
}
$MFAData=Get-MgUserAuthenticationMethod -UserId $user.UserPrincipalName #-ErrorAction SilentlyContinue
$myobject.user = $user.UserPrincipalName;
#check authentication methods for each user
ForEach ($method in $MFAData) {
Switch ($method.AdditionalProperties["@odata.type"]) {
"#microsoft.graph.emailAuthenticationMethod" {
$myObject.email = $true
$myObject.MFAstatus = "Enabled"
}
"#microsoft.graph.fido2AuthenticationMethod" {
$myObject.fido2 = $true
$myObject.MFAstatus = "Enabled"
}
"#microsoft.graph.microsoftAuthenticatorAuthenticationMethod" {
$myObject.app = $true
$myObject.MFAstatus = "Enabled"
}
"#microsoft.graph.passwordAuthenticationMethod" {
$myObject.password = $true
# When only the password is set, then MFA is disabled.
if($myObject.MFAstatus -ne "Enabled")
{
$myObject.MFAstatus = "Disabled"
}
}
"#microsoft.graph.phoneAuthenticationMethod" {
$myObject.phone = $true
$myObject.MFAstatus = "Enabled"
}
"#microsoft.graph.softwareOathAuthenticationMethod" {
$myObject.softwareoath = $true
$myObject.MFAstatus = "Enabled"
}
"#microsoft.graph.temporaryAccessPassAuthenticationMethod" {
$myObject.tempaccess = $true
$myObject.MFAstatus = "Enabled"
}
"#microsoft.graph.windowsHelloForBusinessAuthenticationMethod" {
$myObject.hellobusiness = $true
$myObject.MFAstatus = "Enabled"
}
}
}
##Collecting objects
$results+= $myObject;
}
# Display the custom objects
$resultsTo run the script open PowerShell and first connect to MS Graph.
Connect-MgGraph -Scopes "User.Read.All"Then enter the path and name of the script to execute it.
The script will display how many accounts it found and output the account it is processing.
When the script is completed it will display the MFA status and authentication methods for each user.
To export the MFA status report to CSV use the export-CSV parameter.
.\MFAStatusReport.ps1 | export-csv -path c:\it\mfastatus-csv
Check MFA Status for a List of Users
If you want to run the script on a list of users comment line #14 and add this code.
$users = ForEach ($mguser in $(get-content -path C:\it\users.txt)) {
get-mguser -userid $mguser
}
Then create a text file with a list of users. You can save the list anywhere you want just make sure to update the path in the script.
Now run the script and it will only process the accounts listed in the text file.
MFA Status Report with Azure Toolkit
I’m working on a graphical tool that includes several reports and tools to manage Azure and Office 365. You will be able to generate MFA reports with a click of a button.
If you want to be a beta tester for this tool please send me an email at robert@activedirectorypro.com
List of MFA Authentication Methods
Below is a list of the authentication methods the PowerShell script checks for.
- emailAuthenticationMethod – Represents an email address registered to a user
- fido2AuthenticationMethod – FIDO2 security key registered to a user (USB device)
- microsoftAuthenticatorAuthenticationMethod – This is the Microsoft authenticator app.
- passwordAuthenticationMethod – The user’s password.
- phoneAuthenticationMethod – This means a user has registered their phone using SMS or voice call.
- softwareOathAuthenticationMethod – Software OATH token registered to a user.
- temporaryAccessPassAuthenticationMethod – Temporary time-limited passcode.
- windowsHelloForBusinessAuthenticationMethod – Windows hello for business registered to a user.
In the script, these will have #microsoft.graph in the name.
To learn more about the authentication methods refer to the Microsoft article authenticationMethods resource type.
I hope you found this article useful, if you have comments or questions post them below.
Great script but it seems like it is not designed for automated execution. When I connect to graph using Access Token (Get-MsalToken) execution fails after about 1 hour (we have almost 10k users in our organization). Any ideas?