Reputation: 1450
Gathering MFA status of users on Azure
I'm trying to pull a list of users from Azure and see if they have MFA enabled or disabled (for reporting reason) currently I'm using the following:
$cred = Get-Credential
Connect-MsolService -Credential $cred
$users = Get-msoluser -All
$users | select DisplayName,@{N='Email';E={$_.UserPrincipalName}},@{N='StrongAuthenticationRequirements';E={($_.StrongAuthenticationRequirements.State)}} | Export-Csv -NoTypeInformation C:\csv.csv
This does connect as needed and pulls all user names and emails however $_.StrongAuthenticationRequirements.State returns null. Is there another way or am I overlooking something?
Upvotes: 2
Views: 18113
Answers (4)
Reputation:
You can use below cmd
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={
if( $_.StrongAuthenticationRequirements.State -ne $null) {$_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
Using this script you can export result based on MFA status (ie,Users with enabled state/enforced state/disabled state alone.) along with their MFA authentication methods.
Upvotes: 3
Reputation: 1
To get just those that are disabled
Get-MsolUser -all |
select DisplayName,UserPrincipalName,@{Name="MFA Status"; Expression={
if($_.StrongAuthenticationRequirements.Count -ne 0){
$_.StrongAuthenticationRequirements[0].State
} else {
'Disabled'}
}
} | where-Object -Property 'MFA Status' -eq Disabled | Sort-Object -Property 'DisplayName'
Upvotes: 0
Reputation: 1450
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting
It seems like I should actually be using
Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName
The confusion was using $_.StrongAuthenticationRequirements instead of $_.StrongAuthenticationMethods
Upvotes: 1
Reputation: 61148
Maybe it would be more convenient to use the Get-MsolUserByStrongAuthentication function described here: https://learn.microsoft.com/en-us/powershell/module/msonline/get-msoluserbystrongauthentication?view=azureadps-1.0
Upvotes: 0
Related Questions
- Azure AD Batch service API to find if the user has MFA enabled
- How can i login to Azure using an account with MFA using Powershell?
- Azure - MFA details of the users using service principal
- Get MFA informations in C# program
- How can I get an Azure AD users MFA state using the AzureAD module?
- Azure Office 365 Powershell Authentication data
- Automate Powershell Script to connect to MSOnline while MFA is applied
- Programmatically authenticate into AAD with MFA via powershell
- Azure MFA status reporting for MFA Server (on-prem)
- Azure AD V2 MFA support