Powershell Code for MFA status

Mohit Pathak 25 Reputation points
2023-07-27T20:01:28.9133333+00:00
This is the powershell code for determining the MFA status of users in Azure Active directory [Excluding service accounts]

Issue : Some users have "Enforced" status under per-user MFA section, However They don't have any authentication methods setup. As per logic, The status of those users in Exported data should be "Enabled", But somehow It is coming as "Enforced" only no matter what I try

Code :

$users = Get-MsolUser -All | Where-Object { $_.UserPrincipalName -notlike "*svc*" }
$results = @()

foreach ($user in $users) {
    $authMethods = $user.StrongAuthenticationMethods
    $mfaStatus = ""

if ($user.StrongAuthenticationRequirements -eq $null -or $user.StrongAuthenticationRequirements[0].State -eq "Disabled") {
    $mfaStatus = "Disabled"
} elseif ($user.StrongAuthenticationRequirements[0].State -eq "Enforced" -and $authMethods.Count -eq 0) {
    $mfaStatus = "Enabled"
} elseif ($user.StrongAuthenticationRequirements[0].State -eq "Enabled" -and $authMethods.Count -eq 0) {
    $mfaStatus = "Enabled"
} elseif ($authMethods.Count -gt 0) {
    $mfaStatus = "Enforced"
} else {
    $mfaStatus = "Disabled"  # Default to "Disabled" when no other conditions are met
}

    $results += [pscustomobject]@{
        DisplayName = $user.DisplayName
        MFAStatus = $mfaStatus
    }
}

$results | Export-Csv -Path "C:\Users\<MyName>\Desktop\AzureUsersMFAstatus.csv" -NoTypeInformation
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,857 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,659 questions
{count} votes

1 additional answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,046 Reputation points Microsoft Employee
    2023-07-31T20:38:35.43+00:00

    @Mohit Pathak

    Thank you for post and I apologize for the delayed response!

    I understand that you have a PowerShell script that is used to determine the MFA status of users within Azure AD (Excluding service accounts), when executing this script:

    • Some users are reflecting as Enforced when they don't have any authentication methods registered.
    • However, per your PS script's logic - these users should be reflecting as Enabled.

    To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.


    Findings:

    When looking into your PowerShell script, it looks like there might be an issue with your Enforced elseif statement. To resolve this, you should be able to reference the below script which should give you the correct MFA status for users.

    $users = Get-MsolUser -All | Where-Object { $_.UserPrincipalName -notlike "*svc*" }
    $results = @()
    foreach ($user in $users) {
        $authMethods = $user.StrongAuthenticationMethods
        $mfaStatus = ""
        if ($user.StrongAuthenticationRequirements -eq $null -or $user.StrongAuthenticationRequirements[0].State -eq "Disabled") {
            $mfaStatus = "Disabled"
        } elseif ($user.StrongAuthenticationRequirements[0].State -eq "Enforced" -and $authMethods.Count -eq 0) {
            $mfaStatus = "Enabled"
        } elseif ($user.StrongAuthenticationRequirements[0].State -eq "Enabled" -and $authMethods.Count -eq 0) {
            $mfaStatus = "Enabled"
    # Added this block:
        } elseif ($authMethods.Count -gt 0 -and $user.StrongAuthenticationRequirements[0].State -ne "Enforced") {
            $mfaStatus = "Enforced"
        } elseif ($authMethods.Count -gt 0 -and $user.StrongAuthenticationRequirements[0].State -eq "Enforced") {
            $mfaStatus = "Enabled" 
    #--------------------
        } else {
            $mfaStatus = "Disabled"  # Default to "Disabled" when no other conditions are met
        }
        $results += [pscustomobject]@{
            DisplayName = $user.DisplayName
            MFAStatus = $mfaStatus
        }
    }
    $results | Export-Csv -Path "C:\Users\<MyName>\Desktop\AzureUsersMFAstatus.csv" -NoTypeInformation
    

    If you have any other questions or are still having issues, please let me know.

    I hope this helps!

    Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments No comments