MFA Script - List of times MFA has been revoked

Question

I am working on some metrics reporting and the items I am looking for I cannot seem to get. What I am looking for is a PowerShell script that will run a list of employees going back through January 1st, only if their MFA had been revoked. I can run a script that will tell me if it is currently revoked, but when they re-authenticate obviously they won't be counted in the list anymore. So I need some scripting help please and thank you. Or.. if their is a way to run that report in Azure or O365, could anyone point me in the right direction I have not been successful. Please and thank you!

Answer 1

Hi @Brestelli, Nathan
Have you seen this kql collection on Github? It has helped me many times!
Sentinel-Queries

You might be able to use this query if you're collecting your logs in Azure to a log analytics workspace.
Audit-MFAChangesforPrivlegedUsers.kql

Hope it helps.

Answer 2

Hi there,

With PowerShell, we can easily get the MFA Status of all our Office 365 users. The basis for the script is the Get-MsolUser cmdlet, which gets the users from the Azure Active Directory.

Get-MsolUser returns all the user details, including the parameter StrongAuthenticationMethods. This parameter will list all the strong authentication methods that a user is using. If this parameter is set, then we know that the user is using MFA.

Make sure you are connected to MsolService

Get-MFAStatus.ps1 | FT

Or if you want an excel file

Get-MFAStatus.ps1 | Export-CSV c:\temp\mfastatus.csv -noTypeInformation

--------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–