MFA Script - List of times MFA has been revoked

Brestelli, Nathan 1 Reputation point

I am working on some metrics reporting and the items I am looking for I cannot seem to get. What I am looking for is a PowerShell script that will run a list of employees going back through January 1st, only if their MFA had been revoked. I can run a script that will tell me if it is currently revoked, but when they re-authenticate obviously they won't be counted in the list anymore. So I need some scripting help please and thank you. Or.. if their is a way to run that report in Azure or O365, could anyone point me in the right direction I have not been successful. Please and thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,723 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. David Broggy 5,581 Reputation points MVP

    Hi @Brestelli, Nathan
    Have you seen this kql collection on Github? It has helped me many times!

    You might be able to use this query if you're collecting your logs in Azure to a log analytics workspace.

    Hope it helps.

  2. Limitless Technology 39,206 Reputation points

    Hi there,

    With PowerShell, we can easily get the MFA Status of all our Office 365 users. The basis for the script is the Get-MsolUser cmdlet, which gets the users from the Azure Active Directory.

    Get-MsolUser returns all the user details, including the parameter StrongAuthenticationMethods. This parameter will list all the strong authentication methods that a user is using. If this parameter is set, then we know that the user is using MFA.

    Make sure you are connected to MsolService

    Get-MFAStatus.ps1 | FT

    Or if you want an excel file

    Get-MFAStatus.ps1 | Export-CSV c:\temp\mfastatus.csv -noTypeInformation


    --If the reply is helpful, please Upvote and Accept it as an answer–