Powershell Code for MFA status

Question

This is the powershell code for determining the MFA status of users in Azure Active directory [Excluding service accounts]

Issue : Some users have "Enforced" status under per-user MFA section, However They don't have any authentication methods setup. As per logic, The status of those users in Exported data should be "Enabled", But somehow It is coming as "Enforced" only no matter what I try

Code :

$users = Get-MsolUser -All | Where-Object { $_.UserPrincipalName -notlike "*svc*" }
$results = @()

foreach ($user in $users) {
    $authMethods = $user.StrongAuthenticationMethods
    $mfaStatus = ""

if ($user.StrongAuthenticationRequirements -eq $null -or $user.StrongAuthenticationRequirements[0].State -eq "Disabled") {
    $mfaStatus = "Disabled"
} elseif ($user.StrongAuthenticationRequirements[0].State -eq "Enforced" -and $authMethods.Count -eq 0) {
    $mfaStatus = "Enabled"
} elseif ($user.StrongAuthenticationRequirements[0].State -eq "Enabled" -and $authMethods.Count -eq 0) {
    $mfaStatus = "Enabled"
} elseif ($authMethods.Count -gt 0) {
    $mfaStatus = "Enforced"
} else {
    $mfaStatus = "Disabled"  # Default to "Disabled" when no other conditions are met
}

    $results += [pscustomobject]@{
        DisplayName = $user.DisplayName
        MFAStatus = $mfaStatus
    }
}

$results | Export-Csv -Path "C:\Users\<MyName>\Desktop\AzureUsersMFAstatus.csv" -NoTypeInformation

Answer 1

Have you seen this? https://lazyadmin.nl/powershell/list-office365-mfa-status-powershell/

Answer 2

@Mohit Pathak

Thank you for post and I apologize for the delayed response!

I understand that you have a PowerShell script that is used to determine the MFA status of users within Azure AD (Excluding service accounts), when executing this script:

• Some users are reflecting as Enforced when they don't have any authentication methods registered.
• However, per your PS script's logic - these users should be reflecting as Enabled.

To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.

---

Findings:

When looking into your PowerShell script, it looks like there might be an issue with your Enforced elseif statement. To resolve this, you should be able to reference the below script which should give you the correct MFA status for users.

$users = Get-MsolUser -All | Where-Object { $_.UserPrincipalName -notlike "*svc*" }
$results = @()
foreach ($user in $users) {
    $authMethods = $user.StrongAuthenticationMethods
    $mfaStatus = ""
    if ($user.StrongAuthenticationRequirements -eq $null -or $user.StrongAuthenticationRequirements[0].State -eq "Disabled") {
        $mfaStatus = "Disabled"
    } elseif ($user.StrongAuthenticationRequirements[0].State -eq "Enforced" -and $authMethods.Count -eq 0) {
        $mfaStatus = "Enabled"
    } elseif ($user.StrongAuthenticationRequirements[0].State -eq "Enabled" -and $authMethods.Count -eq 0) {
        $mfaStatus = "Enabled"
# Added this block:
    } elseif ($authMethods.Count -gt 0 -and $user.StrongAuthenticationRequirements[0].State -ne "Enforced") {
        $mfaStatus = "Enforced"
    } elseif ($authMethods.Count -gt 0 -and $user.StrongAuthenticationRequirements[0].State -eq "Enforced") {
        $mfaStatus = "Enabled" 
#--------------------
    } else {
        $mfaStatus = "Disabled"  # Default to "Disabled" when no other conditions are met
    }
    $results += [pscustomobject]@{
        DisplayName = $user.DisplayName
        MFAStatus = $mfaStatus
    }
}
$results | Export-Csv -Path "C:\Users\<MyName>\Desktop\AzureUsersMFAstatus.csv" -NoTypeInformation

If you have any other questions or are still having issues, please let me know.

I hope this helps!

Thank you for your time and patience throughout this issue.

---

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.