Share via

How to obtain list of users if SMS MFA is enabled using PowerShell

Christopher Rugama 31 Reputation points
2022-08-23T17:18:32.833+00:00

Hello,

I am trying to get the list of all users currently using SMS MFA.

At this moment i'm using the next code to get the information of a single user.

**Get-MgUserAuthenticationPhoneMethod -UserId ****@domainname.com

I want to extract the information of all users

I appreciate the help received.

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Olga Os - MSFT 5,951 Reputation points Microsoft Employee
    2022-08-23T20:11:28.577+00:00

    Hello @Christopher Rugama ,

    Welcome to the MS Q&A forum.

    I played with the script from this post and below is the updated version which returns data required by your ask. 

     Function Get-PerUserMFAStatus {   
    [CmdletBinding(DefaultParameterSetName='All')]  
    param(  
        [Parameter(  
            Mandatory = $false,  
            ParameterSetName = 'UPN',  
            Position = 0  
        )]  
        [string[]]  $UserPrincipalName,  
   
        [Parameter(  
            Mandatory = $false,  
            ParameterSetName = 'All'  
        )]  
        [switch]    $All  
    )  
    BEGIN {  
        if (-not (Get-MsolDomain -ErrorAction SilentlyContinue)) {  
            Write-Error "You must connect to the MSolService to continue" -ErrorAction Stop  
        }  
    }  
    PROCESS {  
        if ($PSBoundParameters.ContainsKey('UserPrincipalName')) {  
            $MsolUserList = foreach ($MsolUser in $UserPrincipalName) {  
                try {  
                    Get-MsolUser -UserPrincipalName $MsolUser -ErrorAction Stop  
                       
                } catch {  
                    Write-Error $_.Exception.Message  
                }  
            }  
        } else {  
            $MsolUserList = Get-MsolUser -All -ErrorAction Stop | Where-Object {$_.DisplayName -notmatch 'On-Premises Directory Synchronization'}  
        }  
   
        #Now that we have our UserList, lets check the per-user mfa status  
        foreach ($User in $MsolUserList)   
        {  
        $MethodType = $User.StrongAuthenticationMethods | select -ExpandProperty MethodType  
           if ($User.StrongAuthenticationRequirements)   
           {  
                $PerUserMFAState = $User.StrongAuthenticationRequirements.State  
   
            }   
            else   
        {$PerUserMFAState = 'Disabled'}  
        if ($MethodType -eq 'OneWaySMS')   
        {  
            [PSCustomObject]@{  
                UserPrincipalName    = $User.UserPrincipalName  
                DisplayName          = $User.DisplayName  
                PerUserMFAState      = $PerUserMFAState  
                DefaultMethodType    = 'SMS Text Message'  
            }            
            $MethodType        = $null  
        }}}  
    END {}  
}  
  
 Get-PerUserMFAStatus -All

    Hope that will help you to collect all required information.

    --------------------------------------------------------

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    2 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.8K Reputation points MVP Volunteer Moderator
    2022-08-23T18:47:48.463+00:00

    Why don't you simply get the Credential registration report: https://learn.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http

    Get-MgReportCredentialUserRegistrationDetail if you want to use the MG PowerShell SDK.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.