Get MFA Status For Azure/Office365 Users Using Powershell

Paul Contreras — Thu, 21 Feb 2019 05:14:06 +0000

If you’ve recently deployed MFA (Multi-Factor Authentication) in Office365/ Azure you may find that there is no easy way to report who has MFA enabled, and more importantly, which of your administrators don’t have MFA enabled. I ran across a problem that I needed to solve so I turned to Powershell for my solution. Therefore, I created a script to get MFA status using Powershell.

Here we will assume you have the correct permissions to access the MSOL service and the email address and userprincipalname are the same

Get MFA Status Using Powershell


Function Get-AzureMFAStatus {
<#
.Synopsis
    This will get the Multi-factor authentication status of your users and determine which of them or not are admins.
    For updated help and examples refer to -Online version.
 

.DESCRIPTION
    This will get the Multi-factor authentication status of your users and determine which of them or not are admins.
    For updated help and examples refer to -Online version.


.NOTES   
    Name: Get-AzureMFAStatus
    Author: theSysadminChannel
    Version: 1.0
    DateCreated: 2019-Feb-08


.LINK
    https://thesysadminchannel.com/get-mfa-status-for-azure-office365-users-using-powershell -
#>

    [CmdletBinding(DefaultParameterSetName="Default")]
    param(
        [Parameter(
            Position  = 0,
            Mandatory = $false,
            ValueFromPipeline =$true,
            ValueFromPipelineByPropertyName=$true,
            ParameterSetName = "UserPrincipalName"
        )]
        [string[]]   $UserPrincipalName,


        [Parameter(
            Mandatory         = $false,
            ValueFromPipeline = $false,
            ParameterSetName  = "ResultList"
        )]
        [int]        $MaxResults = 2000,


        [Parameter(
            Mandatory         = $false,
            ValueFromPipeline = $false,
            ParameterSetName  = "ResultList"
        )]
        [bool]       $isLicensed = $true,


        [Parameter(
            Mandatory         = $false,
            ValueFromPipeline = $false
        )]
        [switch]     $SkipAdminCheck


    )


    BEGIN {
        if (-not $SkipAdminCheck) {
            $AdminUsers = Get-MsolRole -ErrorAction Stop | foreach {Get-MsolRoleMember -RoleObjectId $_.ObjectID} | Where-Object {$null -ne $_.EmailAddress} | Select EmailAddress -Unique | Sort-Object EmailAddress
        }
    }

    PROCESS {
        if ($PSBoundParameters.ContainsKey("UserPrincipalName")) {
            foreach ($MsolUser in $UserPrincipalName) {
                try {
                    $User = Get-MsolUser -UserPrincipalName $MsolUser -ErrorAction Stop

                    if ($SkipAdminCheck) {
                        $isAdmin = "-"
                      } else {
                        if ($AdminUsers -match $User.UserPrincipalName) {
                            $isAdmin = $true
                          } else {
                            $isAdmin = $false
                        }
                    }

                    if ($User.StrongAuthenticationMethods) {
                        $MFAEnabled = $true
                      } else {
                        $MFAEnabled = $false
                    }


                    [PSCustomObject]@{
                        DisplayName       = $User.DisplayName
                        UserPrincipalName = $User.UserPrincipalName
                        isAdmin           = $isAdmin
                        MFAEnabled        = $MFAEnabled
                    }

                } catch {
                    [PSCustomObject]@{
                        DisplayName       = '_NotSynced'
                        UserPrincipalName = $User
                        isAdmin           = '-'
                        MFAEnabled        = '-'
                    }
                } finally {
                    $null = $User
                    $null = $isAdmin
                    $null = $MFAEnabled
                }
            }
        } else {
            $AllUsers = Get-MsolUser -MaxResults $MaxResults | Where-Object {$_.IsLicensed -eq $isLicensed}
            foreach ($User in $AllUsers) {
                if ($SkipAdminCheck) {
                    $isAdmin = "-"
                  } else {
                    if ($AdminUsers -match $User.UserPrincipalName) {
                        $isAdmin = $true
                      } else {
                        $isAdmin = $false
                    }
                }

                if ($User.StrongAuthenticationMethods) {
                    $MFAEnabled = $true
                  } else {
                    $MFAEnabled = $false
                }


                [PSCustomObject]@{
                    DisplayName       = $User.DisplayName
                    UserPrincipalName = $User.UserPrincipalName
                    isAdmin           = $isAdmin
                    MFAEnabled        = $MFAEnabled
                }

                $null = $User
                $null = $isAdmin
                $null = $MFAEnabled

            }
        }
    }

    END {}

}

So that’s it. That’s how you get MFA status for Office365 / Azure for your domain. Hopefully you found this useful and if you did, don’t forget to check out our Youtube channel at @theSysadminChannel

The post Get MFA Status For Azure/Office365 Users Using Powershell appeared first on the Sysadmin Channel.

azure powershell mfa settings Archives - the Sysadmin Channel

Get MFA Status For Azure/Office365 Users Using Powershell

Get MFA Status Using Powershell