When planning a multifactor authentication rollout in your organization, you may discover it’s not that easy to find out if a user has been enabled, how many users in our current organization have been configured to use the feature, and so forth. In this article, we are going to cover the PowerShell cmdlets required to retrieve the information and in the last section, we are going to show a script that uses all the topics covered in this article. Before getting to the technical details, it is important to understand the two methods available to enable MFA for any given user.
The first method is called changing the user state. We can assign this at the user level using the MFA portal, which can be accessed through the Azure Portal, Office 365 Admin, and so forth. A second method that is not that common is using conditional access (this requires Azure AD Premium), where we can instruct the end-users to go to aka.ms/MFASetup page and get their MFA settings in-place before rolling out the solution. There are some differences when using user assignment MFA and conditional access. In this article, we will provide all the MFA information of any given user.
Before starting our journey, we need to make sure that we have the Microsoft Online module installed on the computer where we are going to connect through PowerShell. Make sure that you run the cmdlet below as an administrator.
Install-Module MSOnline
Finding users who are enabled with MFA user assignment or conditional access
We will not find a specific attribute that says which type of MFA was enabled at the end user. However, knowing what setting each method enables at the object level helps us to retrieve information.
If we want to get a list of all users who have been enabled using MFA conditional access, an easy method is targeting the StrongAuthenticationMethods property. If it is anything but $null, then we know that this user went through the steps of the aka.ms/MFASetup to configure the account. The following cmdlet will provide a list of all users.
Get-MSOLUser -All | Where {$_.StrongAuthenticationMethods -ne $null }
If we want to know all users who were enabled using MFA Portal (changing user state process), then we need to look into the properties of StrongAuhenticationRequirements and in the sub-property called State. If there is anything but $null, then we know that the given user had MFA enabled through the MFA portal. The following cmdlet will list all the users that were enabled using MFA Portal:
Get-MsolUser -all | where-Object { $_.StrongAuthenticationRequirements.State -ne $null }
How to find out if the self-service password is enabled
You may want to find out which users enabled the self-service password feature, and that can be done by checking the attribute StrongAuthenticationUserDetails. If there is any data there, it is a strong indication that the user configured the self-service password feature.
$vUser = Get-MsolUser -UserPrincipalName <UserName> -ErrorAction SilentlyContinue Write-Host $vUser.StrongAuthenticationUserDetails
The script code
We covered some of the code required to retrieve certain information, but by getting together all those cmdlets that we covered, we can create a simple code to add to our toolbox to help answer some questions when rolling out MFA.
The script is simple. We can provide two parameters: -AllMFAConditional, which will list all users enabled through the MFA conditional access process, or -ALLMFAPortal, which will list all users enabled through the MFA Portal (changing user state).
Another option is providing a username (the @domain.ca we add automatically as part of the script — make sure to change the domain before running the first time), and it will provide all details for that user. In the example below, we can see that the first user has not configured and the second user has the feature enabled through conditional access.
Here is the code to retrieve MFA details of a single user, or list all users enabled either using the MFA Portal or MFA conditional access process.
Param( [parameter(mandatory=$false)]$User, [switch]$AllMFAConditional, [switch]$AllMFAPortal ) #Autocomplete $User = $User + "@itprocentral.com" $vPath = (Get-Location).Path + "\" If ($AllMFAConditional){ $vUser = Get-MSOLUser -All | Where {$_.StrongAuthenticationMethods -ne $null } Write-Host Write-Host "Number of users with MFA (Conditional) enabled: " $vUser.count Write-Host Write-Host "List of all users configured with MFA (Conditional).." Write-Host $vUser | % { Write-Host $_.DisplayName "-" $_.UserPrincipalName} Write-Host break } If ($AllMFAPortal){ $vUser = Get-MsolUser -all | where-Object { $_.StrongAuthenticationRequirements.State -ne $null } Write-Host Write-Host "Number of users with MFA (Portal) enabled: " $vUser.count Write-Host Write-Host "List of all users configured with MFA (Portal).." write-host $vUser | % { Write-Host $_.DisplayName "-" $_.UserPrincipalName} Write-host break } $vUser = Get-MsolUser -UserPrincipalName $User -ErrorAction SilentlyContinue If ($vUser) { Write-Host Write-Host User Details for $vUser.UserPrincipalName Write-Host Write-Host "Self-Service Password Feature (SSP)..: " -NoNewline; If ($vUser.StrongAuthenticationUserDetails) { Write-Host -ForegroundColor Green "Enabled"}Else{ Write-Host -ForegroundColor Yellow "Not Configured"} Write-Host "MFA Feature (Portal) ................: " -NoNewline; If ((($vuser | Select-Object -ExpandProperty StrongAuthenticationRequirements).State) -ne $null) { Write-Host -ForegroundColor Yellow "Enabled! It overrides Conditional"}Else{ Write-Host -ForegroundColor Green "Not Configured"} Write-Host "MFA Feature (Conditional)............: " -NoNewline; If ($vUser.StrongAuthenticationMethods){ Write-Host -ForegroundColor Green "Enabled" Write-Host Write-host "Authentication Methods:" for ($i=0;$i -lt $vuser.StrongAuthenticationMethods.Count;++$i){ Write-host $vUser.StrongAuthenticationMethods[$i].MethodType "(" $vUser.StrongAuthenticationMethods[$i].IsDefault ")" } Write-Host Write-Host "Phone entered by the end-user:" Write-Host "Phone Number.........: " $vuser.StrongAuthenticationUserDetails.PhoneNumber Write-Host "Alternative Number...: "$vuser.StrongAuthenticationUserDetails.AlternativePhoneNumber }Else{ Write-Host -ForegroundColor Yellow "Not Configured" } Write-Host Write-Host "License Requirements.................: " -NoNewline; $vLicense = $False for ($i=0;$i -lt $vuser.Licenses.Count;++$i){ if (($vuser.licenses[$i].AccountSkuid) -like '*P1*') { $vLicense = $true } } If ($vLicense){Write-Host -ForegroundColor Green "Enabled"}Else{ Write-Host -ForegroundColor Yellow "Not Licensed"} }Else{ write-host write-host -ForegroundColor Red "[Error]: User " $user " couldn't be found. Check the username and try again" Break }
There you have it!
Featured image: Shutterstock
Cool script! However, when you have enabled the new combined registration portal on your tenant, the output seems incorrect. Both portal and conditional state are reported enabled. I think this is because the new registration is also triggered when you enable MFA the classic way.
Steps i did:
1. Enable MFA for user1 by MFA settings
2. Register for MFA using https://portal.azure.com. I got prompted by first login
3. Use your script to see the outcome of this action.
Any thougts on this?