Collecting your users’ Office 365 MFA information with PowerShell

Office 365 resources such as information on users can be obtained using PowerShell. Microsoft provides Office 365 PowerShell modules to fetch information about the users such as In-Cloud, synchronized users, MFA users and so on. When it comes to fetching MFA information on users in Office 365, you will be required to check if users are MFA enabled or if users have MFA enforced. In this article, we will provide some PowerShell commands that can be used to check MFA information on enabled and enforced users. The Get-MSOLUser PowerShell cmdlet can be used to check MFA information status for users in Office 365.

Getting ready to use Get-MSOLUser

Before you can use PowerShell commands and scripts provided in this article, please make sure to meet the requirements as listed below:

• Install MSOnline PowerShell module for Office 365. There are two ways to install MSOnline PowerShell module; by downloading the MSOnline PowerShell module from GitHub or by using the Install-Module MSOnline command in an elevated PowerShell command prompt. For Install-Module MSOnline command to work, you will be required to install Microsoft Windows Management Framework 5.0 on the operating system. You can download Microsoft Windows Management Framework from here.
• Get credential for Global Administrator. You will be required to supply Global Administrator credential before you can use any of these PowerShell commands and scripts.
• Make sure you are connected to your Office 365 subscription by using Connect-MSOnline PowerShell command.

Collecting MFA enabled and enforced users from Office 365

MFA users can easily be collected using MSOLine PowerShell. In an Office 365 tenant, you can find three types of MFA users: users who have MFA enabled, users who have MFA enforced, and users who do not have MFA configured at all. You can use Get-MSOlUser, a single PowerShell cmdlet, to collect MFA enabled, MFA enforced, and not configured for MFA.

To collect just MFA enabled users from Office 365, type in the following PowerShell command:

$MFAUsers = $users | select UserPrincipalName -ExpandProperty StrongAuthenticationRequirements | select UserPrincipalName,State

The above command connects to Office 365 and collects all MFA users which include MFA enabled and MFA enforced users. Executing the below PowerShell command will provide the count of MFA users.

$MFAUsersCount=$MFAUsers.Count

Since you have two types of MFA users stored in the $Users variable, you can get MFA enforced and MFA enabled by using this PowerShell command:

$MFAUsersEnforced=$users | select UserPrincipalName -ExpandProperty StrongAuthenticationRequirements | select UserPrincipalName,State| where {$_.State -match ‘Enforced’};

As you can see in the above command, you are adding a “Where” clause to check only for users whose state property matches with “enforced.” The result is that MFA enforced users are stored in $MFAUsersEnforced variable. You can have MFA enforced users exported to a CSV file by using the command below:

$MFAUsersEnforcedCount | Export-CSV C:\Temp\MFAEnforcedUsers.CSV

To collect MFA enabled users other than collecting MFA enforced, you can use the PowerShell commands below. Please note we are also storing the output to a CSV file at C:\Temp\MFAEnabled.CSV

$MFAUsersEnabled=$users | select UserPrincipalName -ExpandProperty StrongAuthenticationRequirements | select UserPrincipalName,State| where {$_.State -match ‘Enabled’};
$MFAUsersEnabled | | Export-CSV C:\Temp\MFAEnabledUsers.CSV
$MFAUsersEnabledCount=$MFAUsersEnabled.Count;

Collecting MFA not configured users

Other than MFA enforced and MFA enabled users, you have MFA not configured users. These users can easily be retrieved by using this command:

$allUsersCount=$users.Count
$MFAUsers = $users | select UserPrincipalName -ExpandProperty StrongAuthenticationRequirements | select UserPrincipalName,State
$MFANotConfiguredUsers = ($AllUsersCount - $MFAUsers)

As you can see in the above PowerShell commands, the first one collects all users in Office 365, the next command collects all MFA users, and the final PowerShell command provides users who do not have MFA configured at all.

Putting it all together

Below is the complete PowerShell script that provides MFA enforced and MFA enabled in a CSV file.

$MFAReport = "C:\Temp\MFAUsers.CSV"
$STR = "UserPrinciapalName, MFA Type"
Add-Content $MFAReport $STR
$MFAUsers = $users | select UserPrincipalName -ExpandProperty StrongAuthenticationRequirements | select UserPrincipalName,State
 
ForEach ($Item in $MFAUsers)
{
$MFAState = $Item.State
$UPN = $Item.UserPrincipalName
$MFANow = ""
 
IF ($MFAState -eq "Enforced")
{
$MFANow = "MFA is Enfroced"
}
$MFAState = $Item.State
IF ($MFAState -eq "Enabled")
{
$MFANow = "MFA is Enabled"
}
 
$STR = $UPN+","+$MFANow
Add-Content $MFAReport $STR
}

Once you are done executing the above PowerShell script, you will be provided with a CSV report that includes MFA enabled and MFA enforced users. The CSV file is located at C:\Temp\MFAUsers.CSV.

The above PowerShell script is obtained from O365 IT Health and Risk Scanner, which can perform a complete health and risk assessment of Microsoft Active Directory, Hyper-V, Microsoft Exchange, Microsoft Office 365, and Azure and System Center products.

MFA information using PowerShell: Wrapup

As part of this article, we provided PowerShell commands and scripts to list MFA enabled, MFA enforced and MFA not configured users. We also provided a single PowerShell script that can provide you MFA enabled and MFA enforced users in a CSV file.

Featured image: Shutterstock