skip to Main Content

Export Office 365 users MFA status with PowerShell

We want to get a list of users with MFA status. By checking that, we are sure how many users have MFA enabled and which method they used. If you have not yet enabled MFA in your Microsoft 365/Azure tenant, you should do this immediately! In this article, you will learn how to export Office 365 users MFA status to CSV file.

Check MFA status in Microsoft 365 admin center

Let’s have a look at Microsoft 365 and check the MFA user status. Log into Microsoft 365 admin center. Navigate to Users > Active Users > Multi-factor authentication.

Export Office 365 users MFA status with PowerShell Microsoft 365 admin center

A new page will open, and it will show all the users and their multi-factor auth status. In our example, we have a couple of users MFA enabled, and MFA enforced. Most of the users have MFA disabled.

Export Office 365 users MFA status with PowerShell multi factor authentication

Why we do not recommend you to use the multi-factor authentication web page for information:

  • Not shown if the users did finish the MFA process
  • It does not indicate which MFA authorization option the user enabled
  • No chance for export to CSV file
If you see that MFA is enabled or enforced, it does not mean that MFA is configured.

The PowerShell script can’t identity the MFA status if it’s enabled through Security Defaults (see the last step of how to disable) or Conditional Access. That’s because Microsoft did not provide a way for that.

Is there a better way to have an insight into the MFA instead of the Microsoft 365 page? Yes, there is, and that’s when PowerShell will come to the rescue. In the next step, we will show how to create an MFA report.

Connect to Azure Active Directory

Before we can proceed further and get the MFA status for all the users, we need to install and connect to Azure AD with PowerShell (MsolService). Start Windows PowerShell as administrator and run the cmdlet Connect-MsolService.

PS C:> Connect-MsolService

Now that we are connected, we can go to the next step.

Prepare Get-MFAReport PowerShell script

Create two folders on the C:\ drive:

  • Temp
  • Scripts

Download the Get-MFAReport.ps1 PowerShell script and place it in C:\scripts folder. The script will export the CSV file to the C:\temp folder.

Export Office 365 users MFA status with PowerShell scripts folder

Run Get-MFAReport PowerShell script

Get MFA status for all users with PowerShell. Change the path to the scripts folder. After that, run the script Get-MFAReport.ps1.

PS C:\> cd c:\scripts\
PS C:\scripts> .\Get-MFAReport.ps1

Out-GridView

An Out-GridView will show columns with users and much more information than in the Microsoft 365 multi-factor authentication page.

Export Office 365 users MFA status with PowerShell Out-GridView

Open MFA Users report CSV file

The Get-MFAReport.ps1 PowerShell script will export Office 365 users MFA status to CSV file. Find the file MFAUsers.csv in the path C:\temp.

1Export Office 365 users MFA status with PowerShell temp folder

Open the CSV file with your favorite application. In our example, it’s Microsoft Excel.

Export Office 365 users MFA status with PowerShell CSV file

The MFA status report looks excellent.

Extra attention

Now there is one more thing that you need to place good attention to. Some accounts are not showing that they are enabled, but when you do log into Microsoft 365, it will ask you to enable MFA. After that, it will ask you for MFA when you sign in. The question is, why is that?

That’s because the user has a role added, and Microsoft will force the user to provide MFA authentication. Think about an administrator account, which is a high privileges account.

We recommend you disable security defaults in Azure AD if you use the Get-MFAReport PowerShell script. Otherwise, you will have incorrect information on the Microsoft 365 MFA page and the MFA report. It will show user accounts with no MFA enabled, but they do. You want the report to be accurate, and this way, you have everything managed from the report. You can disable the feature in the next step.

Disable security defaults Azure AD

Sign in to the Azure portal as an administrator. Browse to Azure Active Directory > Properties. Select Manage security defaults > Set the Enable security defaults toggle to No. Select Save.

Uncheck Enable security defaults

We like to see that Microsoft synchronizes the Security defaults feature with the Microsoft 365 Multi-Factor Authentication page. This way, you don’t have to disable that feature, and it’s in sync with Microsoft 365 web page and the Get-MFAReport export CSV file.

Microsoft did write documentation about it in Azure Active Director security defaults.

Don’t forget to enforce MFA for all the users in the tenant! It’s a must to protect the organization from brute force attacks and logins.

Did this help you to export Office 365 users MFA status to CSV file?

Read more: Office 365 Recommended Configuration Analyzer »

Conclusion

In this article, you learned how to export MFA status Office 365 users with PowerShell. Get the MFA status report with Get-MFAReport PowerShell script and have a close look through it. Force MFA for all the users and check that they use the Authenticator app, which is Microsoft’s recommendation.

Did you enjoy this article? You may also like Install Exchange Online PowerShell V2. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 5 Comments

  1. Brilliant! Thank you, Ali!

    I need to add UserPrincipalName to the output. I have tried various syntax but have not been successful. Please help!

    1. Change line 2

      from:
      $Users = Get-MsolUser -All | ? { $_.UserType -ne “Guest” }

      to:
      $Users = Get-MsolUser -All | ? { ($_.UserType -ne “Guest”) -and ($_.isLicensed -eq “True”) }

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top