MFA Script - List of times MFA has been revoked

Brestelli, Nathan 1 Reputation point
2022-06-23T12:58:04.977+00:00

I am working on some metrics reporting and the items I am looking for I cannot seem to get. What I am looking for is a PowerShell script that will run a list of employees going back through January 1st, only if their MFA had been revoked. I can run a script that will tell me if it is currently revoked, but when they re-authenticate obviously they won't be counted in the list anymore. So I need some scripting help please and thank you. Or.. if their is a way to run that report in Azure or O365, could anyone point me in the right direction I have not been successful. Please and thank you!

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,603 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. David Broggy 3,976 Reputation points Microsoft MVP
    2022-06-23T14:48:17.577+00:00

    Hi @Brestelli, Nathan
    Have you seen this kql collection on Github? It has helped me many times!
    Sentinel-Queries

    You might be able to use this query if you're collecting your logs in Azure to a log analytics workspace.
    Audit-MFAChangesforPrivlegedUsers.kql

    Hope it helps.


  2. Limitless Technology 37,316 Reputation points
    2022-06-24T11:35:54.063+00:00

    Hi there,

    With PowerShell, we can easily get the MFA Status of all our Office 365 users. The basis for the script is the Get-MsolUser cmdlet, which gets the users from the Azure Active Directory.

    Get-MsolUser returns all the user details, including the parameter StrongAuthenticationMethods. This parameter will list all the strong authentication methods that a user is using. If this parameter is set, then we know that the user is using MFA.

    Make sure you are connected to MsolService

    Get-MFAStatus.ps1 | FT

    Or if you want an excel file

    Get-MFAStatus.ps1 | Export-CSV c:\temp\mfastatus.csv -noTypeInformation

    --------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–