0

Get MFA Status For Azure/Office365 Users Using Powershell

If you’ve recently deployed MFA (Multi-Factor Authentication) in Office365/ Azure you may find that there is no easy way to report who has MFA enabled, and more importantly, which of your administrators don’t have MFA enabled. I ran across a problem that I needed to solve so I turned to Powershell for my solution. Therefore, I created a script to get MFA status using Powershell.

Here we will assume you have the correct permissions to access the MSOL service and the email address and userprincipalname are the same

Get MFA Status Using Powershell

Function Get-AzureMFAStatus {
<#
.Synopsis
    This will get the Multi-factor authentication status of your users and determine which of them or not are admins.
    For updated help and examples refer to -Online version.
 

.DESCRIPTION
    This will get the Multi-factor authentication status of your users and determine which of them or not are admins.
    For updated help and examples refer to -Online version.


.NOTES   
    Name: Get-AzureMFAStatus
    Author: theSysadminChannel
    Version: 1.0
    DateCreated: 2019-Feb-08


.LINK
    https://thesysadminchannel.com/get-mfa-status-for-azure-office365-users-using-powershell -
#>

    [CmdletBinding(DefaultParameterSetName="Default")]
    param(
        [Parameter(
            Position  = 0,
            Mandatory = $false,
            ValueFromPipeline =$true,
            ValueFromPipelineByPropertyName=$true,
            ParameterSetName = "UserPrincipalName"
        )]
        [string[]]   $UserPrincipalName,


        [Parameter(
            Mandatory         = $false,
            ValueFromPipeline = $false,
            ParameterSetName  = "ResultList"
        )]
        [int]        $MaxResults = 2000,


        [Parameter(
            Mandatory         = $false,
            ValueFromPipeline = $false,
            ParameterSetName  = "ResultList"
        )]
        [bool]       $isLicensed = $true,


        [Parameter(
            Mandatory         = $false,
            ValueFromPipeline = $false
        )]
        [switch]     $SkipAdminCheck


    )


    BEGIN {
        if (-not $SkipAdminCheck) {
            $AdminUsers = Get-MsolRole -ErrorAction Stop | foreach {Get-MsolRoleMember -RoleObjectId $_.ObjectID} | Where-Object {$null -ne $_.EmailAddress} | Select EmailAddress -Unique | Sort-Object EmailAddress
        }
    }

    PROCESS {
        if ($PSBoundParameters.ContainsKey("UserPrincipalName")) {
            foreach ($MsolUser in $UserPrincipalName) {
                try {
                    $User = Get-MsolUser -UserPrincipalName $MsolUser -ErrorAction Stop

                    if ($SkipAdminCheck) {
                        $isAdmin = "-"
                      } else {
                        if ($AdminUsers -match $User.UserPrincipalName) {
                            $isAdmin = $true
                          } else {
                            $isAdmin = $false
                        }
                    }

                    if ($User.StrongAuthenticationMethods) {
                        $MFAEnabled = $true
                      } else {
                        $MFAEnabled = $false
                    }


                    [PSCustomObject]@{
                        DisplayName       = $User.DisplayName
                        UserPrincipalName = $User.UserPrincipalName
                        isAdmin           = $isAdmin
                        MFAEnabled        = $MFAEnabled
                    }

                } catch {
                    [PSCustomObject]@{
                        DisplayName       = '_NotSynced'
                        UserPrincipalName = $User
                        isAdmin           = '-'
                        MFAEnabled        = '-'
                    }
                } finally {
                    $null = $User
                    $null = $isAdmin
                    $null = $MFAEnabled
                }
            }
        } else {
            $AllUsers = Get-MsolUser -MaxResults $MaxResults | Where-Object {$_.IsLicensed -eq $isLicensed}
            foreach ($User in $AllUsers) {
                if ($SkipAdminCheck) {
                    $isAdmin = "-"
                  } else {
                    if ($AdminUsers -match $User.UserPrincipalName) {
                        $isAdmin = $true
                      } else {
                        $isAdmin = $false
                    }
                }

                if ($User.StrongAuthenticationMethods) {
                    $MFAEnabled = $true
                  } else {
                    $MFAEnabled = $false
                }


                [PSCustomObject]@{
                    DisplayName       = $User.DisplayName
                    UserPrincipalName = $User.UserPrincipalName
                    isAdmin           = $isAdmin
                    MFAEnabled        = $MFAEnabled
                }

                $null = $User
                $null = $isAdmin
                $null = $MFAEnabled

            }
        }
    }

    END {}

}

 

Get-AzureMFAStatus

So that’s it. That’s how you get MFA status for Office365 / Azure for your domain. Hopefully you found this useful and if you did, don’t forget to check out our Youtube channel at @theSysadminChannel

Paul

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.