This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 79%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
I need to check if users on a list have mfa enabled. There are many users to consult on the Portal. And I also don't want to do the query using the get-mfareports.ps1 script that brings the status of all users, as I would have to compare line by line with the list I already have.
@Selma Saglauskas Dias Gambarini
I wanted to check in and see if you had any other questions or if any of the answers below helped to resolve your issue?
Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
There's no need for you to compare the lists manually.
That script is capable of creating a CSV file. Put your list in another CSV file and create a hash from whatever list is shorter. If a user is in the CSV produced by the script isn't in your list, you can write another file containing the information you need to add that user to your list.
Hi, this is exactly what I don't want to do. I want to make a query using user accounts that are in a list that I already have. For example, I want to know if Maria, João, José and Pedro have mfa enabled. It could run multiple commands by pasting multiple lines at once, like
Get-Msoluser -UserPrincipalName maria -StrongAuthenticationRequirements
Get-Msoluser -UserPrincipalName john -StrongAuthenticationRequirements
Get-Msoluser -UserPrincipalName pedro -StrongAuthenticationRequirements
Get-Msoluser -UserPrincipalName josé -StrongAuthenticationRequirements
To bring whether they have mfa enabled or not.
You have the source code for the script, so you can see how the author acquired the information. You just have to use your list to supply the identities needed to retrieve the information for each user in your list instead of getting all users.
@Selma Saglauskas Dias Gambarini
Thank you for your post and I apologize for the delayed response!
From your issue, I understand that you have a pre-determined list of users, and you'd like a PowerShell script to check if the users on that list have MFA enabled. To hopefully resolve your issue or point you in the right direction, you should be able to accomplish this using the PS script(s) below.
Note: Prior to following the below script you'll need to create a list of users that you want to check. You can do this by creating a CSV file with a column for the user's email address. For example:
For more info on Azure Active Directory (MSOnline):
#Install the Azure AD MSOnline Module
Install-Module MSOnline
#Connect to your Azure AD tenant
Connect-MsolService
#Load the list of pre-defined users into PowerShell by running the following command:
$users = Import-Csv -Path "C:\path\Desktop\users.csv"
#Create an empty array to store the results:
$results = @()
#Loop through the list of users and check if MFA is enabled for each user. Instead of writing the results to the console, we'll be adding them to the $results array:
foreach ($user in $users) {
$userObject = Get-MsolUser -UserPrincipalName $user.Email
$mfaStatus = $userObject.StrongAuthenticationMethods.Count
$result = New-Object -TypeName PSObject -Property @{
Email = $user.Email
MFAEnabled = $mfaStatus -gt 0
}
$results += $result
}
#Export the $results array to a CSV file:
$results | Export-Csv -Path "C:\path\to\results.csv" -NoTypeInformation
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
@Selma Saglauskas Dias Gambarini
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Hello, James Tran, good afternoon. Unfortunately, the script did not bring correct results. When bringing the information that some accounts had True status in MFAEnabled, I checked directly on the Portal, and MFA is disabled for them.
@Selma Saglauskas Dias Gambarini
Thank you for following up on this and I apologize for the delayed response!
I wanted to check-in and see if the additional answer shared by @Rich Matheisen ,with the modified version of the script, helped produce the correct output in regard to your user's MFA statuses?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
@Selma Saglauskas Dias Gambarini
Thank you for looking into @Rich Matheisen 's script below and for sharing your feedback!
When it comes to my script above outputting accounts with MFAEnabled, when you checked directly on the Portal, and the MFA is disable for them - can you share a screenshot of what you're seeing so I can gain a better understanding of the incorrect output?
Referencing the Authentication Methods User registration details:
If you don't have access to the Authentication Methods User registration details, you can also check for any registered MFA methods within the User's Profile under Authentication Methods.
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
@Selma Saglauskas Dias Gambarini
I wanted to check in and see if you had a chance to review my previous comment?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
This is a modified version of the code submitted by @JamesTran-MSFT . If it still produces incorrect results you can check if one of the StrongAuthenticationMethods has its "IsDefault" property set to $true.
Install-Module MSOnline # you can remove this if the module's already installed
#Connect to your Azure AD tenant
Connect-MsolService
Import-Csv -Path "C:\path\Desktop\users.csv"
#Loop through the list of users and check if MFA is enabled for each user. Instead of writing the results to the console, we'll create a CSV
Import-Csv -Path "C:\path\Desktop\users.csv" |
ForEach-Object {
Try{
$email = $_.Email # used only in 'Catch' block
$userObject = Get-MsolUser -UserPrincipalName $_.Email -ErrorAction STOP
[PSCustomObject]@{
Email = $_.Email
MFAEnabled = (if ($userObject.StrongAuthenticationMethods){$true}else{$false})
}
}
Catch{
Write-Host "User '$email' was not found."
}
} | Export-Csv -Path "C:\path\to\results.csv" -NoTypeInformation
Hello, I apologize for the delay. I ran the script but now the problem is another: information appears that the user was not located:
User '******@abc.com' was not found.