Check MFA-Status of Users (Powershell)

Finding information about MFA on a user in Azure Active Directory can be achieved in mutiple ways. Here, I will describe an easy way of finding MFA-information (registered, and by which method) by using Powershell, the cmdlet Get-Msoluser and its related property StrongAuthenticationMethods.

Prerequisite:
Install the powershell Module MSOnline:
Install-Module MSOnline
Then, connect to the service in Powershell by:
Connect-MsolService

When authenticated, query all users who have MFA activated using the following code:
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Now, let’s expand the property StrongAuthenticationMethods to get more information about MFA’s state, and which MFA-method the user has configured MFA with:
Get-MsolUser -All | Where {$_.UserPrincipalName} | Select UserPrincipalName, DisplayName, @{n=”Status”; e={$_.StrongAuthenticationRequirements.State}}, @{n=”Methods”; e={($_.StrongAuthenticationMethods).MethodType}}, @{n=”Chosen Method”; e={($_.StrongAuthenticationMethods).IsDefault}} | Out-GridView

Useful result when working with Microsoft 365 and MFA. As you see above, allowed methods in my tenant is PhoneAppOTP and PhoneAppNotification (Microsoft Authenticator). The chosen method for this users MFA is PhoneAppNotification. The reason why the Status-field is empty is because this user activated MFA via a Conditional Access Policy and the MFA is not enabled/Enforced via the old MFA-portal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s