Get MFA Status with PowerShell (Script Included)

In this guide, you will learn how to get the MFA status of Office 365 users with PowerShell.

I’ll show you how to get MFA status for a single and a list of users.

In addition, I’ll show you how to export Office 365 MFA status report to CSV.

Let’s get started.

Get MFA Status with PowerShell Requirments

The examples in this guide use the Microsoft Graph module to check the MFA status for Office 365 users. You will need to have the Graph module installed.

The Get-MGUser cmdlet is used to get single and all users from your Office 365 tenant.

The Get-MGUserAuthenticationMethod cmdlet is used to get the MFA authentication methods for each user.

Important

The PowerShell commands report the authentication method registered for each user, this is how the MFA status is determined. Unfortunately, Microsoft does not provide a command that simply says if an account has MFA enabled or not, it has to be calculated.

When passwordAuthenticationMethod is the only authentication method listed this means the user does not have MFA enabled. The script I provide below will check the authentication methods and create an MFA Status field (Enabled or Disabled).

Example 1. Get MFA Status Office 365 for a Single User

To check the MFA status of a single user is very easy, you don’t need a bloated script for this.

Step 1. Connect to Microsoft Graph

Before you can get Office 365 Users and check the MFA status you first need to connect to Microsoft Graph.

The below command will permit you to read the full set of Azure user profile properties.

Connect-MgGraph -Scopes "User.Read.All"

You will be prompted to sign in with your account.

office 365 sign in

When you have authenticated PowerShell should display “Welcome to Microsoft Graph!”

microsoft graph connected

Step 2. Run the Get-MGUserAuthenticationMethod cmdlet

Run the below command to get the MFA status for a single user.

Get-MGUserAuthenticationMethod -userid abbie.peters@activedirectorypro.com | fl

In this example, I’m checking the MFA status for the user abbie.peters@activedirectorypro.com.

mfa status single user

The authentication method of microsoft.graph.passwordAuthenticationMethod is the only method listed, this means MFA is not enabled for this user.

Now I’ll check the authentication methods for my account.

multiple mfa authentication methods

In the screenshot above, you can see my account returns multiple authentication methods, this means my account has MFA enabled.

It gets much more complicated when checking all users, the good news is I’ve created a script you can use.

Example 2. MFA Status Office 365 Report for All Users PowerShell

You can copy the script below or download the MFAStatusReport.ps1 PowerShell script.

By default, the script will get the MFA status for all users. I’ll show you how to change it to check the status of a list of users.

Note: Depending on how many users you have in your tenant the script can take several minutes to complete.

<#
=============================================================================================
Name:           Get MFA Status Report
Description:    Gets MFA status for all users and authentication methods
Version:        1.0
Website:        activedirectorypro.com
Script by:      activedirectorypro.com
Instructions:   https://activedirectorypro.com/mfa-status-powershell
============================================================================================
#>

#Get all Azure users
$users = get-mguser -All

$results=@();
Write-Host  "`nRetreived $($users.Count) users";
#loop through each user account
foreach ($user in $users) {

Write-Host  "`n$($user.UserPrincipalName)";
$myObject = [PSCustomObject]@{
    user               = "-"
    MFAstatus          = "_"
    email              = "-"
    fido2              = "-"
    app                = "-"
    password           = "-"
    phone              = "-"
    softwareoath       = "-"
    tempaccess         = "-"
    hellobusiness      = "-"
}

$MFAData=Get-MgUserAuthenticationMethod -UserId $user.UserPrincipalName #-ErrorAction SilentlyContinue

$myobject.user = $user.UserPrincipalName;
    #check authentication methods for each user
    ForEach ($method in $MFAData) {
	
        Switch ($method.AdditionalProperties["@odata.type"]) {
          "#microsoft.graph.emailAuthenticationMethod"  { 
             $myObject.email = $true 
             $myObject.MFAstatus = "Enabled"
          } 
          "#microsoft.graph.fido2AuthenticationMethod"                   { 
            $myObject.fido2 = $true 
            $myObject.MFAstatus = "Enabled"
          }    
          "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"  { 
            $myObject.app = $true 
            $myObject.MFAstatus = "Enabled"
          }    
          "#microsoft.graph.passwordAuthenticationMethod"                {              
                $myObject.password = $true 
                # When only the password is set, then MFA is disabled.
                if($myObject.MFAstatus -ne "Enabled")
                {
                    $myObject.MFAstatus = "Disabled"
                }                
           }     
           "#microsoft.graph.phoneAuthenticationMethod"  { 
            $myObject.phone = $true 
            $myObject.MFAstatus = "Enabled"
          }   
            "#microsoft.graph.softwareOathAuthenticationMethod"  { 
            $myObject.softwareoath = $true 
            $myObject.MFAstatus = "Enabled"
          }           
            "#microsoft.graph.temporaryAccessPassAuthenticationMethod"  { 
            $myObject.tempaccess = $true 
            $myObject.MFAstatus = "Enabled"
          }           
            "#microsoft.graph.windowsHelloForBusinessAuthenticationMethod"  { 
            $myObject.hellobusiness = $true 
            $myObject.MFAstatus = "Enabled"
          }                   
        }
    }

##Collecting objects
$results+= $myObject;

}
# Display the custom objects
$results

To run the script open PowerShell and first connect to MS Graph.

Connect-MgGraph -Scopes "User.Read.All"

Then enter the path and name of the script to execute it.

The script will display how many accounts it found and output the account it is processing.

run mfa status powershell script

When the script is completed it will display the MFA status and authentication methods for each user.

mfa script results

To export the MFA status report to CSV use the export-CSV parameter.

.\MFAStatusReport.ps1 | export-csv -path c:\it\mfastatus-csv

Check MFA Status for a List of Users

If you want to run the script on a list of users comment line #14 and add this code.

$users = ForEach ($mguser in $(get-content -path C:\it\users.txt)) {
get-mguser -userid $mguser
}
comment script for all users

Then create a text file with a list of users. You can save the list anywhere you want just make sure to update the path in the script.

list of office 365 users

Now run the script and it will only process the accounts listed in the text file.

MFA Status Report with Azure Toolkit

I’m working on a graphical tool that includes several reports and tools to manage Azure and Office 365. You will be able to generate MFA reports with a click of a button.

If you want to be a beta tester for this tool please send me an email at robert@activedirectorypro.com

List of MFA Authentication Methods

Below is a list of the authentication methods the PowerShell script checks for.

  • emailAuthenticationMethod – Represents an email address registered to a user
  • fido2AuthenticationMethod – FIDO2 security key registered to a user (USB device)
  • microsoftAuthenticatorAuthenticationMethod – This is the Microsoft authenticator app.
  • passwordAuthenticationMethod – The user’s password.
  • phoneAuthenticationMethod – This means a user has registered their phone using SMS or voice call.
  • softwareOathAuthenticationMethod – Software OATH token registered to a user.
  • temporaryAccessPassAuthenticationMethod – Temporary time-limited passcode.
  • windowsHelloForBusinessAuthenticationMethod – Windows hello for business registered to a user.

In the script, these will have #microsoft.graph in the name.

To learn more about the authentication methods refer to the Microsoft article authenticationMethods resource type.

I hope you found this article useful, if you have comments or questions post them below.

Related Articles:

Recommended Tool: Active Directory Pro Toolkit

The AD Pro Toolkit includes 14 tools in 1 to help simplify and automate Active Directory management.

Automate user creation, bulk update accounts, group management, logon reports, report NTFS permissions, cleanup, and secure AD, troubleshoot account lockouts, and much more.

In addition, the toolkit includes over 200 built-in reports.

Click here to download a free trial

1 thought on “Get MFA Status with PowerShell (Script Included)”

  1. Great script but it seems like it is not designed for automated execution. When I connect to graph using Access Token (Get-MsalToken) execution fails after about 1 hour (we have almost 10k users in our organization). Any ideas?

    Reply

Leave a Comment