Gathering MFA status of users on Azure

azure mfa reports
how to check if mfa is enabled in office 365
mfa denied authentication in progress
get-msoluser
azure mfa user guide
revoke mfa sessions
azure mfa enforced vs conditional access
mfa requirement satisfied by claim in the token

I'm trying to pull a list of users from Azure and see if they have MFA enabled or disabled (for reporting reason) currently I'm using the following:

$cred = Get-Credential
Connect-MsolService -Credential $cred 

$users = Get-msoluser -All 
$users | select DisplayName,@{N='Email';E={$_.UserPrincipalName}},@{N='StrongAuthenticationRequirements';E={($_.StrongAuthenticationRequirements.State)}} | Export-Csv -NoTypeInformation C:\csv.csv

This does connect as needed and pulls all user names and emails however $_.StrongAuthenticationRequirements.State returns null. Is there another way or am I overlooking something?

You can use below cmd

    Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ 
    if( $_.StrongAuthenticationRequirements.State -ne $null) {$_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

or you can use pre-built script to Export Azure users' MFA status.

Using this script you can export result based on MFA status (ie,Users with enabled state/enforced state/disabled state alone.) along with their MFA authentication methods.

Gathering MFA status of users on Azure, Gathering MFA status of users on Azure. Multi tool use. 1. 0. I'm trying to pull a list of users from Azure and see if they have MFA enabled or  Use the following steps to access the Azure portal page where you can view and manage user states: Sign in to the Azure portal as an administrator. Search for and select Azure Active Directory, then select Users > All users.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting

It seems like I should actually be using

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName

The confusion was using $_.StrongAuthenticationRequirements instead of $_.StrongAuthenticationMethods

Get MFA Status For Azure/Office365 Users Using Powershell, Get MFA status - With this Powershell script you can easily output the Multi factor Authentication status for your users in Azure / Office 365. Note. The user's currently registered authentication methods aren't deleted when an admin requires re-registration for MFA. After a user re-registers for MFA, we recommend they review their security info and delete any previously registered authentication methods that are no longer usable.

Maybe it would be more convenient to use the Get-MsolUserByStrongAuthentication function described here: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoluserbystrongauthentication?view=azureadps-1.0

Azure MFA user data collection, What information is used to help authenticate users by Azure Multi-Factor and the Windows Server 2016 Azure MFA AD FS Adapter collect and store the Activate Error; Activation Status Result; Device Name; Device Type  Finding information about MFA on a user in Azure Active Directory can be achieved in mutiple ways. Here, I will describe an easy way of finding MFA-information (registered, and by which method) by using Powershell, the cmdlet Get-Msoluser and its related property StrongAuthenticationMethods.

To get just those that are disabled

Get-MsolUser -all | 
   select DisplayName,UserPrincipalName,@{Name="MFA Status"; Expression={ 
    if($_.StrongAuthenticationRequirements.Count -ne 0){ 
        $_.StrongAuthenticationRequirements[0].State
    } else { 
        'Disabled'}
    }
} | where-Object -Property 'MFA Status' -eq Disabled | Sort-Object -Property 'DisplayName'

Sign-in event details for Azure Multi-Factor Authentication, Use the sign-ins report to review Azure Multi-Factor Authentication events. 05/15/​2020 How many users are unable to complete the MFA challenge? What are A list of sign-in events is shown, including the status. You can  Currently, the API provided by Microsoft for Azure AD users does not return the MFA status/details. This information might become available in future as part of API but for now Powershell is the only option. User MFA status value is present in the StrongAuthenticationRequirements list object of User Profile.

Collecting your users' Office 365 MFA information with PowerShell, Microsoft provides Office 365 PowerShell modules to fetch information about the cmdlet can be used to check MFA information status for users in Office 365. Collecting MFA enabled and enforced users from Office 365. Looks like you are correct, Pablo. Although the sign-in logs show that MFA was required for users who went through the MFA setup process, it is only saying that when either they were in the Office location (MFA description says that MFA requirement satisfied by token) or they were elsewhere and setup or used the Self-Service Password Reset which must use the same MFA parameters to sign in

How to How to Use Powershell to Export MFA Status by User, Here's how to use Powershell to export MFA status for each user, MFA out of the available options is also not available from the Azure AD portal. and reviewing the users in your tenant and gathering the information. Check the current Azure health status and view past incidents.

Reporting MFA-Enabled Accounts, It's not part of Office 365 (it comes from Azure), hasn't been updated in years, Managing the MFA status of Office 365 Accounts – Just terrible! List users with MFA registration status under Identity Protection List users with registration status under Identity Protection. Currently we can only see a pie chart, which doesn't help much when performing enrollment in phases before setting the requirement for users. IP.png 299 KB

Comments