Find and List MFA Enabled Status of Office 365 Users using Powershell

Multi-Factor Authentication (MFA) is a method of Azure AD authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. You can easily enable MFA solution for Azure AD users using Azure MFA portal. In this post, I am going to share powershell script to list office 365 users with their MFA status and MFA related details like Verification Email, Phone Number, and Alternative Phone Number.

Before proceed run the following command to connect Azure AD powershell module.

Connect-MsolService

The below command list all MFA enabled users (Enabled either via Conditional Access or using MFA Portal).

Get-MsolUser -All | Where {$_.StrongAuthenticationMethods -ne $null -or $_.StrongAuthenticationRequirements.State -ne $nul}

List All Office 365 Users with MFA Status and MFA Details:

The following command retrieves all the Azure AD users and their MFA details.

$Result=@() 
$users = Get-MsolUser -All
$users | ForEach-Object {
$user = $_
$mfaStatus = $_.StrongAuthenticationRequirements.State 
$methodTypes = $_.StrongAuthenticationMethods 

if ($mfaStatus -ne $null -or $methodTypes -ne $null)
{
if($mfaStatus -eq $null)
{ 
$mfaStatus='Enabled (Conditional Access)' 
}
$authMethods = $methodTypes.MethodType
$defaultAuthMethod = ($methodTypes | Where{$_.IsDefault -eq "True"}).MethodType 
$verifyEmail = $user.StrongAuthenticationUserDetails.Email 
$phoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber
$alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
}
Else
{
$mfaStatus = "Disabled"
$defaultAuthMethod = $null
$verifyEmail = $null
$phoneNumber = $null
$alternativePhoneNumber = $null
}
   
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
MFAStatus = $mfaStatus
AuthenticationMethods = $authMethods
DefaultAuthMethod = $defaultAuthMethod
MFAEmail = $verifyEmail
PhoneNumber = $phoneNumber
AlternativePhoneNumber = $alternativePhoneNumber
}
}
$Result | Select UserName,MFAStatus,MFAEmail,PhoneNumber,AlternativePhoneNumber

List all MFA enabled users

$Result | Where {$_.MFAStatus -ne "Disabled"}

List all MFA enabled users without Phone Number

$Result | Where {$_.MFAStatus -ne "Disabled" -and $_.PhoneNumber -eq $null}

List all MFA enabled users without Alternative Authentication Phone Number

$Result | Where {$_.MFAStatus -ne "Disabled" -and $_.AlternativePhoneNumber -eq $null}

Export 365 users MFA status to CSV file

$Result | Export-CSV "C:\O365-Users-MFA-Details.csv" -NoTypeInformation -Encoding UTF8

List MFA Status for set of users from CSV:

You can use the below command if you want to check the MFA status for particular set of users (for ex: newly created users) by importing users from CSV file.Consider the csv file Office365Users.csv that has set 0365 users with the column header UserPrincipalName.

$Result=@()
# Read and Iterate CSV file
Import-Csv 'C:\Office365Users.csv' | ForEach-Object {
# Read UserPrincipalName field from CSV row
$upn = $_."UserPrincipalName"
$user = Get-MsolUser -UserPrincipalName $upn -ErrorAction SilentlyContinue
$mfaStatus = $user.StrongAuthenticationRequirements.State 
$methodTypes = $user.StrongAuthenticationMethods 
 
if ($user -ne $null -and ($mfaStatus -ne $null -or $methodTypes -ne $null))
{
if($mfaStatus -eq $null)
{ 
$mfaStatus='Enabled (Conditional Access)'
}
$authMethods = $methodTypes.MethodType
$defaultAuthMethod = ($methodTypes | Where{$_.IsDefault -eq "True"}).MethodType 
$verifyEmail = $user.StrongAuthenticationUserDetails.Email 
$phoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber
$alternativePhoneNumber = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber
}
Else
{
$mfaStatus = "Disabled"
if($user -eq $null)
{ 
$mfaStatus='User not found'
}
$defaultAuthMethod = $null
$verifyEmail = $null
$phoneNumber = $null
$alternativePhoneNumber = $null
}
    
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
MFAStatus = $mfaStatus
AuthenticationMethods = $authMethods
DefaultAuthMethod = $defaultAuthMethod
MFAEmail = $verifyEmail
PhoneNumber = $phoneNumber
AlternativePhoneNumber = $alternativePhoneNumber
}
}
$Result | Select UserName,UserPrincipalName,MFAStatus

9 thoughts on “Find and List MFA Enabled Status of Office 365 Users using Powershell”

cmm48

January 3, 2019 at 9:46 pm

why would a user’s Mfa status be showing as not set, but when I pull their Mfa settings I can see that the have setup Mfa?
desshiels

February 3, 2020 at 10:32 am

Thank you for this. Is there a way to only query 'internal' users? We currently run Hybrid Azure AD and we have around 1800 actual internal (employee) accounts. However we do have another 4 or 5 thousand external accounts (these are accounts tied to our AAD by way of sharing links in OneDrive, Shared Projects in SharePoint etc). As a filter option – all the external users have the following text in their UserPrincipleName field: #EXT#
Our internal accounts do not. So this could be used as a filter – but I just don't know the correct syntax or where to place it. Any help would be greatly appreciated.
It's not essential – but it would just save time query unnecessary accounts because I am running this report two or three times a day.
- Morgan
  
  January 18, 2021 at 7:16 am
  
  Hi, instead of using contains filter with UserPrincipleName, you can check the property UserType which indicates the user is guest (or external) user or tenant member user (internal user).
  
  You can use the command below to get only the list of internal Office 365 users.
  
  Get-MsolUser -All | Where-Object {$_.UserType -ne “Guest”}
  
  Run the command below to get the list of all the Office 365 external users (guest users).
  
  Get-MsolUser -All | Where-Object {$_.UserType -eq “Guest”}
Sai kumar Sankuri

June 27, 2021 at 5:34 pm

how to check MFA activated in mobile device for cognito users