check which users have registered for MFA

Question

check which users have registered for MFA

dirkdigs 921

hi there i was looking for quick one-liner or similar to retrieve a list of users within a given tenant who have MFA Enabled on the user accoutn and also to determine the users who do not . thanks

Accepted answer

2 additional answers

Your answer

Answer 1

AmanpreetSingh-MSFT 56,871 Moderator

Hi @dirkdigs · Thank you for reaching out.

You can use below PowerShell command to get list of users with MFA Enabled/Disabled:

Connect-MsolService  
Get-MsolUser -All | select DisplayName,BlockCredential,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Kailash V 21 Reputation points

2022-03-21T16:50:50.193+00:00

Hi @AmanpreetSingh-MSFT , Is there a way to identify the list within the GUI, instead of Powershell.? Thanks
Ali Soufi 6 Reputation points

2022-03-23T20:14:45.113+00:00

From the admin panel, select users, then Active users. On top section, select Multi-factor Authentication. This list will show for whom MFA is enabled (Enforced).
Benji 1 Reputation point

2022-04-07T21:57:07.663+00:00

Hi @AmanpreetSingh-MSFT ,

Here's one I have been looking for: looking for script that identifies BOTH users who have OWA enabled and MFA is disabled. I am afraid because these queries run against—I believe—two different systems (Azure and Exchange), that is why the query is not widely available.

Thanks in advance.
Ali Soufi 6 Reputation points

2022-04-08T02:05:29.257+00:00

You need to connect to both MSOL and ExcahngeOnline then run something like this:

Get-EXOCASMailbox | where {$.Identity -notmatch 'DiscoverySearchMailbox'} | where { $.OWAEnabled -eq 'True'} | where { (Get-MsolUser -ObjectId $_.ExternalDirectoryObjectId).StrongAuthenticationRequirements.State -eq $null } | ft DisplayName,PrimarySmtpAddress

P.S.: To install ExchangeOnline module you need to run this: Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.5
Ali Soufi 6 Reputation points

2022-04-08T02:07:28.323+00:00

I don't know why but each time I copy the script system auto corrects it somehow to something that doesn't work!!!
Get-EXOCASMailbox | where {$.Identity -notmatch 'DiscoverySearchMailbox'} | where { $.OWAEnabled -eq 'True'} | where { (Get-MsolUser -ObjectId $_.ExternalDirectoryObjectId).StrongAuthenticationRequirements.State -eq $null } | ft DisplayName,PrimarySmtpAddress

if you see a $. please change it to $ _ . (without spaces)
Benji 1 Reputation point

2022-04-08T18:54:00.01+00:00

Worked like a charm, and odd that you have a dollar underscore in the third where clause that didn't auto-correct.
Mike Parton 6 Reputation points

2023-02-13T21:16:47.16+00:00
This is great! I am trying to put together a single script that provides ALL of these elements:

UPN

MFA status

Whether OWA is enabled or not

License (EOK, Business Basic, Business Standard or whatever will help me granularly identify the license type the corresponding UPN has associated with it) Thanks in advance!
Ryan B Cooley 51 Reputation points

2023-05-09T17:52:14.0866667+00:00

Do we have this in Azure Active Directory V2 PowerShell?
38558329 1 Reputation point

2023-10-04T19:15:40.3766667+00:00

When copying scripts, use a generic txt editor like Notepad++
The problem copying code is that ' and "" in dos, are not the same in Windows.
Windows editors use ANSI, I think and PS and other languages don't like it.

Answer 2

Ali Soufi 6

Hi,

Sorry for the late response.
From my understating you want to know who got it setup before you forcefully enable it.

If a user setups MFA the value of "StrongAuthenticationMethods" will not be null

This should help:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA User Setup"; E={ if( $.StrongAuthenticationMethods -ne $null){"Enabled"} else { "Disabled"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

Ali Soufi 6 Reputation points

2022-03-23T20:11:38.707+00:00

sorry there were some typos:
Get-MsolUser -all | Select-Object DisplayName,UserPrincipalName,@{N="MFA Ready"; E={ if( $.StrongAuthenticationMethods -ne $null){"Yes"} else { "No"}}},@{N="MFA Admin Enforced"; E={ if( $.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} | ft -AutoSize
38558329 1 Reputation point

2023-10-04T19:02:01.0866667+00:00

Yours does not display the MFA Auth status. I think this is all depreciated because it is referencing the legacy interface where users can be enabled or disabled per user. Microsoft STILL has not fixed. I will post what is working for me

Answer 3

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

check which users have registered for MFA

2 additional answers

Your answer