Multi-Factor Authentication (MFA) is a method of Azure AD authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. You can easily enable MFA solution for Azure AD users using Azure MFA portal. In this post, I am going to share powershell script to list office 365 users with their MFA status and MFA related details like Verification Email, Phone Number, and Alternative Phone Number.
Before proceed run the following command to connect Azure AD powershell module.
Connect-MsolService
The below command list all MFA enabled users (Enabled either via Conditional Access or using MFA Portal).
Get-MsolUser -All | Where {$_.StrongAuthenticationMethods -ne $null -or $_.StrongAuthenticationRequirements.State -ne $nul}
List All Office 365 Users with MFA Status and MFA Details:
The following command retrieves all the Azure AD users and their MFA details.
$Result=@() $users = Get-MsolUser -All $users | ForEach-Object { $user = $_ $mfaStatus = $_.StrongAuthenticationRequirements.State $methodTypes = $_.StrongAuthenticationMethods if ($mfaStatus -ne $null -or $methodTypes -ne $null) { if($mfaStatus -eq $null) { $mfaStatus='Enabled (Conditional Access)' } $authMethods = $methodTypes.MethodType $defaultAuthMethod = ($methodTypes | Where{$_.IsDefault -eq "True"}).MethodType $verifyEmail = $user.StrongAuthenticationUserDetails.Email $phoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber $alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber } Else { $mfaStatus = "Disabled" $defaultAuthMethod = $null $verifyEmail = $null $phoneNumber = $null $alternativePhoneNumber = $null } $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName MFAStatus = $mfaStatus AuthenticationMethods = $authMethods DefaultAuthMethod = $defaultAuthMethod MFAEmail = $verifyEmail PhoneNumber = $phoneNumber AlternativePhoneNumber = $alternativePhoneNumber } } $Result | Select UserName,MFAStatus,MFAEmail,PhoneNumber,AlternativePhoneNumber
List all MFA enabled users
$Result | Where {$_.MFAStatus -ne "Disabled"}
List all MFA enabled users without Phone Number
$Result | Where {$_.MFAStatus -ne "Disabled" -and $_.PhoneNumber -eq $null}
List all MFA enabled users without Alternative Authentication Phone Number
$Result | Where {$_.MFAStatus -ne "Disabled" -and $_.AlternativePhoneNumber -eq $null}
Export 365 users MFA status to CSV file
$Result | Export-CSV "C:\O365-Users-MFA-Details.csv" -NoTypeInformation -Encoding UTF8
List MFA Status for set of users from CSV:
You can use the below command if you want to check the MFA status for particular set of users (for ex: newly created users) by importing users from CSV file.Consider the csv file Office365Users.csv that has set 0365 users with the column header UserPrincipalName.
$Result=@() # Read and Iterate CSV file Import-Csv 'C:\Office365Users.csv' | ForEach-Object { # Read UserPrincipalName field from CSV row $upn = $_."UserPrincipalName" $user = Get-MsolUser -UserPrincipalName $upn -ErrorAction SilentlyContinue $mfaStatus = $user.StrongAuthenticationRequirements.State $methodTypes = $user.StrongAuthenticationMethods if ($user -ne $null -and ($mfaStatus -ne $null -or $methodTypes -ne $null)) { if($mfaStatus -eq $null) { $mfaStatus='Enabled (Conditional Access)' } $authMethods = $methodTypes.MethodType $defaultAuthMethod = ($methodTypes | Where{$_.IsDefault -eq "True"}).MethodType $verifyEmail = $user.StrongAuthenticationUserDetails.Email $phoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber $alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber } Else { $mfaStatus = "Disabled" if($user -eq $null) { $mfaStatus='User not found' } $defaultAuthMethod = $null $verifyEmail = $null $phoneNumber = $null $alternativePhoneNumber = $null } $Result += New-Object PSObject -property @{ UserName = $user.DisplayName UserPrincipalName = $user.UserPrincipalName MFAStatus = $mfaStatus AuthenticationMethods = $authMethods DefaultAuthMethod = $defaultAuthMethod MFAEmail = $verifyEmail PhoneNumber = $phoneNumber AlternativePhoneNumber = $alternativePhoneNumber } } $Result | Select UserName,UserPrincipalName,MFAStatus
why would a user’s Mfa status be showing as not set, but when I pull their Mfa settings I can see that the have setup Mfa?
Thank you for this. Is there a way to only query 'internal' users? We currently run Hybrid Azure AD and we have around 1800 actual internal (employee) accounts. However we do have another 4 or 5 thousand external accounts (these are accounts tied to our AAD by way of sharing links in OneDrive, Shared Projects in SharePoint etc). As a filter option – all the external users have the following text in their UserPrincipleName field: #EXT#
Our internal accounts do not. So this could be used as a filter – but I just don't know the correct syntax or where to place it. Any help would be greatly appreciated.
It's not essential – but it would just save time query unnecessary accounts because I am running this report two or three times a day.
Hi, instead of using contains filter with UserPrincipleName, you can check the property UserType which indicates the user is guest (or external) user or tenant member user (internal user).
You can use the command below to get only the list of internal Office 365 users.
Get-MsolUser -All | Where-Object {$_.UserType -ne “Guest”}
Run the command below to get the list of all the Office 365 external users (guest users).
Get-MsolUser -All | Where-Object {$_.UserType -eq “Guest”}
how to check MFA activated in mobile device for cognito users