Retrieving MFA and self-service password information using PowerShell

When planning a multifactor authentication rollout in your organization, you may discover it’s not that easy to find out if a user has been enabled, how many users in our current organization have been configured to use the feature, and so forth. In this article, we are going to cover the PowerShell cmdlets required to retrieve the information and in the last section, we are going to show a script that uses all the topics covered in this article. Before getting to the technical details, it is important to understand the two methods available to enable MFA for any given user.

The first method is called changing the user state. We can assign this at the user level using the MFA portal, which can be accessed through the Azure Portal, Office 365 Admin, and so forth. A second method that is not that common is using conditional access (this requires Azure AD Premium), where we can instruct the end-users to go to aka.ms/MFASetup page and get their MFA settings in-place before rolling out the solution. There are some differences when using user assignment MFA and conditional access. In this article, we will provide all the MFA information of any given user.

Before starting our journey, we need to make sure that we have the Microsoft Online module installed on the computer where we are going to connect through PowerShell. Make sure that you run the cmdlet below as an administrator.

Install-Module MSOnline

Finding users who are enabled with MFA user assignment or conditional access

We will not find a specific attribute that says which type of MFA was enabled at the end user. However, knowing what setting each method enables at the object level helps us to retrieve information.

If we want to get a list of all users who have been enabled using MFA conditional access, an easy method is targeting the StrongAuthenticationMethods property. If it is anything but $null, then we know that this user went through the steps of the aka.ms/MFASetup to configure the account. The following cmdlet will provide a list of all users.

Get-MSOLUser -All | Where {$_.StrongAuthenticationMethods -ne $null }

If we want to know all users who were enabled using MFA Portal (changing user state process), then we need to look into the properties of StrongAuhenticationRequirements and in the sub-property called State. If there is anything but $null, then we know that the given user had MFA enabled through the MFA portal. The following cmdlet will list all the users that were enabled using MFA Portal:

Get-MsolUser -all | where-Object { $_.StrongAuthenticationRequirements.State -ne $null }

How to find out if the self-service password is enabled

You may want to find out which users enabled the self-service password feature, and that can be done by checking the attribute StrongAuthenticationUserDetails. If there is any data there, it is a strong indication that the user configured the self-service password feature.

$vUser = Get-MsolUser -UserPrincipalName <UserName> -ErrorAction SilentlyContinue
Write-Host $vUser.StrongAuthenticationUserDetails

The script code

We covered some of the code required to retrieve certain information, but by getting together all those cmdlets that we covered, we can create a simple code to add to our toolbox to help answer some questions when rolling out MFA.

The script is simple. We can provide two parameters: -AllMFAConditional, which will list all users enabled through the MFA conditional access process, or -ALLMFAPortal, which will list all users enabled through the MFA Portal (changing user state).

MFA

Another option is providing a username (the @domain.ca we add automatically as part of the script — make sure to change the domain before running the first time), and it will provide all details for that user. In the example below, we can see that the first user has not configured and the second user has the feature enabled through conditional access.

MFA

Here is the code to retrieve MFA details of a single user, or list all users enabled either using the MFA Portal or MFA conditional access process.

Param(
[parameter(mandatory=$false)]$User,
[switch]$AllMFAConditional,
[switch]$AllMFAPortal
)
#Autocomplete
$User = $User + "@itprocentral.com"
$vPath = (Get-Location).Path + "\"
 
If ($AllMFAConditional){
$vUser = Get-MSOLUser -All | Where {$_.StrongAuthenticationMethods -ne $null }
Write-Host
Write-Host "Number of users with MFA (Conditional) enabled: " $vUser.count
Write-Host
Write-Host "List of all users configured with MFA (Conditional).."
Write-Host
$vUser | % { Write-Host $_.DisplayName "-" $_.UserPrincipalName}
Write-Host
break
}
If ($AllMFAPortal){
$vUser = Get-MsolUser -all | where-Object { $_.StrongAuthenticationRequirements.State -ne $null }
Write-Host
Write-Host "Number of users with MFA (Portal) enabled: " $vUser.count
Write-Host
Write-Host "List of all users configured with MFA (Portal).."
write-host
$vUser | % { Write-Host $_.DisplayName "-" $_.UserPrincipalName}
Write-host
break
}
$vUser = Get-MsolUser -UserPrincipalName $User -ErrorAction SilentlyContinue
If ($vUser) {
Write-Host
Write-Host User Details for $vUser.UserPrincipalName
Write-Host
Write-Host "Self-Service Password Feature (SSP)..: " -NoNewline;
If ($vUser.StrongAuthenticationUserDetails) {  Write-Host -ForegroundColor Green "Enabled"}Else{ Write-Host -ForegroundColor Yellow "Not Configured"}
Write-Host "MFA Feature (Portal) ................: " -NoNewline;
If ((($vuser | Select-Object -ExpandProperty StrongAuthenticationRequirements).State) -ne $null) { Write-Host -ForegroundColor Yellow "Enabled! It overrides Conditional"}Else{ Write-Host -ForegroundColor Green "Not Configured"}
Write-Host "MFA Feature (Conditional)............: " -NoNewline;
If ($vUser.StrongAuthenticationMethods){
Write-Host -ForegroundColor Green "Enabled"
Write-Host
Write-host "Authentication Methods:"
for ($i=0;$i -lt $vuser.StrongAuthenticationMethods.Count;++$i){
Write-host $vUser.StrongAuthenticationMethods[$i].MethodType "(" $vUser.StrongAuthenticationMethods[$i].IsDefault ")"
}
Write-Host
Write-Host "Phone entered by the end-user:"
Write-Host "Phone Number.........: " $vuser.StrongAuthenticationUserDetails.PhoneNumber
Write-Host "Alternative Number...: "$vuser.StrongAuthenticationUserDetails.AlternativePhoneNumber
}Else{
Write-Host -ForegroundColor Yellow "Not Configured"
}
Write-Host
Write-Host "License Requirements.................: " -NoNewline;
$vLicense = $False
for ($i=0;$i -lt $vuser.Licenses.Count;++$i){
if (($vuser.licenses[$i].AccountSkuid) -like '*P1*') { $vLicense = $true }
}
If ($vLicense){Write-Host -ForegroundColor Green "Enabled"}Else{ Write-Host -ForegroundColor Yellow "Not Licensed"}
}Else{
write-host
write-host -ForegroundColor Red "[Error]: User " $user " couldn't be found. Check the username and try again"
Break
}

There you have it!

Featured image: Shutterstock

About The Author

1 thought on “Retrieving MFA and self-service password information using PowerShell”

  1. Cool script! However, when you have enabled the new combined registration portal on your tenant, the output seems incorrect. Both portal and conditional state are reported enabled. I think this is because the new registration is also triggered when you enable MFA the classic way.
    Steps i did:
    1. Enable MFA for user1 by MFA settings
    2. Register for MFA using https://portal.azure.com. I got prompted by first login
    3. Use your script to see the outcome of this action.

    Any thougts on this?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top