Check MFA Status for Microsoft 365 Users using PowerShell 

Check MFA Status for Microsoft 365 Users using PowerShell

Configuring Multi-Factor Authentication (MFA) is pivotal in safeguarding Microsoft accounts from compromises. MFA can be configured through various methods, such as per-user MFA, security defaults, and Conditional Access policies. However, identifying the MFA deployment source for each user is a thing that Microsoft didn’t answer. (But, let’s save that debate for another day!)

Admins can select the appropriate method based on their organization’s requirements and licensing constraints. Also, monitoring MFA status of all users ensures that this security control is effectively implemented and maintained across the organization.

Challenges in Retrieving MFA Status

Retrieving the MFA status of Microsoft 365 users can be a bit of a puzzle. Two primary methods are commonly employed for this purpose: the MSOnline module and the MS Graph PowerShell module. However, both approaches come with their own set of challenges.

1. MSOnline Module (Get-MSolUser)
The MSOnline module, while still in use, is on the path to deprecation and will no longer be supported after March 2024. This module is effective mainly when your organization relies on legacy per-user MFA. It provides relatively straightforward MFA status information.
Note: Microsoft suggests converting from per-user MFA to CA policies for improved security.

2. MS Graph PowerShell Module (Get-MgUserAuthenticationMethod)
The MS Graph PowerShell module offers a more future-proof solution. However, it introduces complexity in determining MFA status. Unlike the MSOnline module, it does not directly display the MFA status as “enabled” or “enforced.” Instead, it requires administrators to consider the authentication methods to decide MFA status.

Additionally, a significant drawback of the MS Graph approach is that even if MFA is disabled, the registered authentication methods for a specific user may still appear active until you manually reset the MFA method for that user. This can lead to inaccuracies when attempting to ascertain MFA status based solely on authentication methods. I hope Microsoft will provide a solution for this issue soon.

So, I have given both ways to check MFA status using Get-MSolUser and Get-MgUser. You can choose based on your needs.

Generate Microsoft 365 MFA Status Report

Before running the PowerShell scripts, you must connect to Microsoft Graph PowerShell or MsOnline PowerShell module. This blog covers various use cases related to exporting MFA status reports:

Note: The exported file will be stored in the current working directory.

Get MFA Status for Single User:

Often, admins want to check if MFA is enabled for a specific user, and here is a simple code to find that.

MS Graph:
To view the MFA status for a single user using Microsoft Graph, run the below cmdlet.

Get-MgBetaUserAuthenticationMethod -UserId <UPN> | select * 

By default, every user account will have a password authentication method. If the cmdlet lists more than one authentication method, you can conclude that MFA is enabled for that user. This approach is applicable if you’ve enabled MFA through Conditional Access policies or Security Defaults.

For those using legacy MFA, you can use MS Graph to check users’ per-user MFA status directly.

Check if MFA enabled for user

Here, the user has 2 MFA authentication methods. So, we can say that the user is protected by MFA.

MSOnline:
If you’d like to use MSOnline module, execute the below cmdlet.

(Get-MsolUser -UserPrincipalName <UPN>).StrongAuthenticationRequirements.State 

Get MFA status for a single user

If the cmdlet returns ‘Enabled’ or ‘Enforced,’ MFA is enabled for that user. If it doesn’t return any result, MFA is disabled for that user.

Check MFA Status Report for a List of Users (Import CSV):

Administrators can efficiently retrieve MFA status report for a list of users by importing a CSV file.

MS Graph:
To view MFA status for bulk users using MS Graph PowerShell, run the code below. It will export usernames and their MFA status to a CSV file.

# Read and process the CSV file 
$Users = Import-Csv -Path <CSVFilePath>  
$OutputCSVName = ".\MFAreport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" 
foreach ($User in $Users) { 
    $UserPrincipalName = $User.UPN 
    $UserMFAStatus = Get-MgBetaUserAuthenticationMethod -UserId $UserPrincipalName 
    # Determine MFA status 
    $MfaStatus = if ($UserMFAStatus.Count -gt 1) { "Enabled" } else { "Disabled" } 
    $Result = [PSCustomObject]@{ 
        UPN = $UserPrincipalName 
        "MFA Status" = $MfaStatus 
    } 
    # Export the result to a CSV file 
    $Result | Export-Csv -Path $OutputCSVName -NoTypeInformation -Append 
} 

MSOnline:
If you want to use thePoweShell cmdlet Get-MSolUser to check the MFA status, use the below code.

# Define the path for the input CSV file 
$Users = Import-Csv -Path <CSVFilePath> 
# Define the path for the output CSV file with a timestamp 
$outputCSVName = ".\MFAreport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" 
foreach ($user in $users) { 
    $userPrincipalName = $user.UPN 
    $mfaStatus = (Get-MsolUser -UserPrincipalName $userPrincipalName).StrongAuthenticationRequirements.state 
    # Determine MFA status 
    if ($mfaStatus -eq $null) { 
        $mfaStatus = "Disabled" 
    } 
    $result = [PSCustomObject]@{ 
        UserPrincipalName = $userPrincipalName 
        "MFA Status" = $mfaStatus 
    }  
    # Export the result to the output CSV file with -Append 
    $result | Export-Csv -Path $outputCSVName -NoTypeInformation -Append 
} 

Export MFA Status Report for All Microsoft 365 Users:

Using this use case, administrators can gain a comprehensive view of the MFA status for all Microsoft 365 users in their organization. By exporting an MFA status report, they can assess the level of security, compliance, and identify users who have or have not enabled MFA.

MS Graph:
To generate Azure MFA report (Currently, Entra ID MFA report) for all the Microsoft 365 users, run the following PowerShell script.

$OutputCSVName = ".\MFAStatusReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" 
Get-Mguser -All | foreach { 
    $UPN = $_.UserPrincipalName 
    Write-Progress -Activity "`n     Retrieving MFA status "`n"  Currently Processing: $UPN" 
    $UserMFAStatus = Get-MgBetaUserAuthenticationMethod -UserId $UPN 
    # Determine MFA status  
    $MfaStatus = if ($UserMFAStatus.Count -gt 1) { "Enabled" } else { "Disabled" }  
    $Result = [PSCustomObject]@{  
        "UPN" = $UPN  
        "MFA Status" = $MfaStatus  
    }  
    # Export the result to a CSV file  
    $Result | Export-Csv -Path $OutputCSVName -NoTypeInformation -Append  
} 

MSOnline:
If you want to export M365 users and their MFA status using the
Get-MSolUser cmdlet, you can use the below code snippet.

$OutputCSVName = ".\MFAStatusReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" 
Get-MsolUser -all | select UserPrincipalName,@{Name=”MFA Status”; E={if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else {“Disabled”}}} | Export-Csv -Path $OutputCSVName -NoTypeInformation –Append 

View MFA Enabled Users Report:

This report helps administrators quickly identify and confirm the MFA enabled users.

MS Graph:
To identify users with MFA, execute the PowerShell script below.

$OutputCSVName = ".\UsersWithMFA_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" 
Get-Mguser -All | foreach { 
    $UPN = $_.UserPrincipalName 
    Write-Progress -Activity "`n     Retrieving MFA status "`n"  Currently Processing: $UPN" 
    $UserMFAStatus = Get-MgBetaUserAuthenticationMethod -UserId $UPN 
    # Determine MFA status  
     if ($UserMFAStatus.Count -gt 1)  
     {  
     $MfaStatus ="Enabled"  
     $Result = [PSCustomObject]@{  
        "UPN" = $UPN  
        "MFA Status" = $MfaStatus 
    }  
     # Export the result to a CSV file  
    $Result | Export-Csv -Path $OutputCSVName -NoTypeInformation -Append }  
} 

Note: You can also use this method to identify users’ MFA status enabled through Conditional Access policies.

MSOnline:
To generate per-user MFA enabled users, run the following script.

$OutputCSVName = ".\MFAEnabledUsersReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" 
Get-MsolUser -All | foreach { 
    $UPN = $_.UserPrincipalName 
    Write-Progress -Activity "`n     Retrieving MFA status "`n"  Currently Processing: $UPN" 
    $UserMFAStatus = $_.StrongAuthenticationRequirements.State 
     if ($UserMFAStatus -ne $null)  
     {   
     $Result = [PSCustomObject]@{  
        "UPN" = $UPN  
        "MFA Status" = $UserMFAStatus 
    }  
     # Export the result to a CSV file  
    $Result | Export-Csv -Path $OutputCSVName -NoTypeInformation -Append }  
}
 

By referring to these reports, admins can effectively disable MFA for a specific user account using the CA policy based on their requirements.

MFA Disabled Users Report:

This report lists users who have not configured MFA for their accounts. It helps to identify users who may need to enable MFA to strengthen their account protection.

MS Graph:
To find users without MFA, run the following script.

$OutputCSVName = ".\MFADisabledUsers_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv"  
Get-Mguser -All | foreach {  
    $UPN = $_.UserPrincipalName  
    Write-Progress -Activity "`n     Retrieving MFA status "`n"  Currently Processing: $UPN" 
    $UserMFAStatus = Get-MgBetaUserAuthenticationMethod -UserId $UPN  
    # Determine MFA status   
     if ($UserMFAStatus.Count -eq 1)   
     {   
     $Result = [PSCustomObject]@{  
        "Users without MFA" = $UPN } 
    $Result | Export-Csv -Path $OutputCSVName -NoTypeInformation -Append 
    }   
} 

MSOnline:
If your organization has adopted per-user MFA, you can find user accounts not protected by MFA using the script below.

$OutputCSVName = "D:\MFADisabledUsersReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" 
Get-MsolUser -All | foreach { 
    $UPN = $_.UserPrincipalName 
    Write-Progress -Activity "`n     Retrieving MFA status "`n"  Currently Processing: $UPN" 
    $UserMFAStatus = $_.StrongAuthenticationRequirements.State 
     if ($UserMFAStatus -ne $null)  
     {   
     $Result = [PSCustomObject]@{  
        "Users Without MFA" = $UPN  
    }  
     # Export the result to a CSV file  
    $Result | Export-Csv -Path $OutputCSVName -NoTypeInformation -Append }  
} 

Efficient MFA Monitoring and Insights with AdminDroid:

Administrators often find managing MFA through PowerShell cmdlets to be a complex task. To alleviate this challenge, the AdminDroid Microsoft 365 reporting tool provides a diverse array of reports for streamlined monitoring of MFA status and sign-ins. This includes:

    • MFA Status Reports:
      • Users with MFA
      • Users without MFA
      • MFA enabled & enforced users
      • MFA disabled users
      • MFA activated & non-activated users
      • MFA device details
      • Admins without MFA
    • MFA Audit Reports:
      • Audit when MFA is enabled
      • Audit when MFA is disabled
    • MFA Analytics Reports:
      • Users categorized by MFA status
      • Users categorized by default authentication methods
      • Users categorized by configured authentication methods
    • MFA Sign-in Analytics Reports:
      • Failed MFA challenge sign-ins
      • All successful MFA sign-ins
      • MFA sign-ins via text message
      • MFA sign-ins via phone call
      • MFA sign-ins via app notification
      • MFA sign-in via app verification
    • MFA Source Reports:
      • MFA sign-ins through Conditional Access policies
      • MFA sign-ins through user-level settings

Microsoft 365 MFA dashboard get MFA status report from AdminDroid

Furthermore, the MFA status dashboard provides a clear view of your organization’s security exposure. AdminDroid doesn’t stop there; it offers over 1800 pre-built reports and 30+ smart dashboards covering various Microsoft services, allowing you to gain in-depth insights.

Download AdminDroid’s Microsoft 365 administration tool now to efficiently manage your M365 environment and enhance your security posture.

I hope this blog has helped you efficiently monitor MFA status for your users and configure it to enhance overall security. As MFA is one of the highest-scoring Microsoft Secure Score recommendations and a key factor in increasing your Secure Score, regularly checking its status for each user is crucial.

Check MFA Status for Microsoft 365 Users using PowerShell 

by Kavya time to read: 6 min
0