I have created a script that can do a couple of things to check and report the MFA status of your users:
- List the MFA Status of all users
- Get all the users that don’t have MFA enabled
- Check the MFA status of a single user
- Check if MFA is enforced
- Checks if a user is admin or not
- Get only the licensed and enabled users
How to use the script? #
Download the script. Open PowerShell to the directory the script is in. Connect to MSOL, run the commands….
Get the MFA Status with PowerShell #
With PowerShell, we can easily get the MFA Status of all our Office 365 users. The basis for the script is the Get-MsolUser cmdlet, which gets the users from the Azure Active Directory.
Get-MsolUser returns all the user details, including the parameter StrongAuthenticationMethods. This parameter will list all the strong authentication methods that a user is using. If this parameter is set, then we know that the user is using MFA.
Requirements #
You need to have the MsolService module installed to use this script. Make sure you are connected before you run the script.
Connect-MsolService
Getting a list of all users and there MFA Status #
You can just run the script without any parameters to get a list of all the users and their MFA Status. The script will check if the user is an admin and will list the default MFA type that the user has set.
You can export the result on the screen
.\Get-MFAStatus.ps1 | FT
or to an CSV file if you like.
.\Get-MFAStatus.ps1 | Export-CSV c:\temp\mfastatus.csv -noTypeInformation
Get only the users without MFA #
If you have a large tenant then you probably only want to get the users without MFA. You can use the switch withOutMFAOnly
for this.
.\Get-MFAStatus.ps1 -withOutMFAOnly
Check the MFA Status of admins #
Admins should have MFA enable without a doubt. To quickly check the status of all your admin accounts you can use the switch adminsOnly
.\Get-MFAStatus.ps1 -adminsOnly
Check the MFA status on a selection of users #
The script also allows you to check the MFA Status of a single user or multiple users.
.\Get-MFAStatus.ps1 -UserPrincipalName 'johndoe@contoso.com'
If you want to check the status of a single department for example, then you can do the following:
.\Get-MFAStatus.ps1 -Department 'Finance' | ForEach-Object { Get-MFAStatus $_.UserPrincipalName }