Mailboxes are on-premises, and you like to migrate a mailbox or bulk migrate mailboxes to…
Export Office 365 users MFA status with PowerShell
We want to get a list of users with MFA status. By checking that, we are sure how many users have MFA enabled and which method they used. If you have not yet enabled MFA in your Microsoft 365/Azure tenant, you should do this immediately! In this article, you will learn how to export Office 365 users MFA status to CSV file.
Table of contents
Check MFA status in Microsoft 365 admin center
Let’s have a look at Microsoft 365 and check the MFA user status. Sign in to Microsoft 365 admin center. Navigate to Users > Active Users > Multi-factor authentication.
A new page will open, and it will show all the users and their multi-factor auth status. In our example, we have a couple of users MFA enabled, and MFA enforced. Most of the users have MFA disabled.
Why we do not recommend you to use the multi-factor authentication web page for information:
- Not shown if the users did finish the MFA process
- It does not indicate which MFA authorization option the user enabled
- No chance for export to CSV file
If you see that MFA is enabled or enforced, it does not mean that MFA is configured.
The PowerShell script can’t identity the MFA status if it’s enabled through Security Defaults (see the last step of how to disable) or Conditional Access. That’s because Microsoft did not provide a way for that.
Is there a better way to have an insight into the MFA instead of the Microsoft 365 page? Yes, there is, and that’s when PowerShell will come to the rescue. In the next step, we will show how to create an MFA report.
Connect to Azure Active Directory
Before we can proceed further and get the MFA status for all the users, we need to install and connect to Azure AD with PowerShell (MsolService). Start Windows PowerShell as administrator and run the cmdlet Connect-MsolService.
PS C:> Connect-MsolService
Now that we are connected, we can go to the next step.
Prepare Get-MFAReport PowerShell script
Create two folders on the C:\ drive:
- Temp
- Scripts
Download the Get-MFAReport.ps1 PowerShell script and place it in C:\scripts folder. The script will export the CSV file to the C:\temp folder.
Run Get-MFAReport PowerShell script
Get MFA status for all users with PowerShell. Change the path to the scripts folder. After that, run the script Get-MFAReport.ps1.
PS C:\> cd c:\scripts\
PS C:\scripts> .\Get-MFAReport.ps1
Out-GridView
An Out-GridView will show columns with users and much more information than in the Microsoft 365 multi-factor authentication page.
Open MFA Users report CSV file
The Get-MFAReport.ps1 PowerShell script will export Office 365 users MFA status to CSV file. Find the file MFAUsers.csv in the path C:\temp.
Open the CSV file with your favorite application. In our example, it’s Microsoft Excel.
The MFA status report looks excellent.
Extra attention
Now there is one more thing that you need to place good attention to. Some accounts are not showing that they are enabled, but when you do sign in to Microsoft 365, it will ask you to enable MFA. After that, it will ask you for MFA when you sign in. The question is, why is that?
That’s because the user has a role added, and Microsoft will force the user to provide MFA authentication. Think about an administrator account, which is a high privileges account.
We recommend you disable security defaults in Azure AD if you use the Get-MFAReport PowerShell script. Otherwise, you will have incorrect information on the Microsoft 365 MFA page and the MFA report. It will show user accounts with no MFA enabled, but they do. You want the report to be accurate, and this way, you have everything managed from the report. You can disable the feature in the next step.
Disable security defaults Azure AD
Sign in to the Azure portal as an administrator. Browse to Azure Active Directory > Properties. Select Manage security defaults > Set the Enable security defaults toggle to No. Select Save.
We like to see that Microsoft synchronizes the Security defaults feature with the Microsoft 365 Multi-Factor Authentication page. This way, you don’t have to disable that feature, and it’s in sync with Microsoft 365 web page and the Get-MFAReport export CSV file.
Microsoft did write documentation about it in Azure Active Director security defaults.
Don’t forget to enforce MFA for all the users in the tenant! It’s a must to protect the organization from brute force attacks and sign-ins.
Did this help you to export Office 365 users MFA status to CSV file?
Read more: Office 365 Recommended Configuration Analyzer »
Conclusion
In this article, you learned how to export MFA status Office 365 users with PowerShell. Get the MFA status report with Get-MFAReport PowerShell script and have a close look through it. Force MFA for all the users and check that they use the Authenticator app, which is Microsoft’s recommendation.
Did you enjoy this article? You may also like Install Exchange Online PowerShell V2. Don’t forget to follow us and share this article.
Hi Ali and many thanks for the script.
It’s possible to add JobTitle information on the script, please?
Hello Ali,
Is there an alternative to get this information with ms graph for example?
I have looked at the /reports/authenticationMethods/userRegistrationDetails and /reports/credentialUserRegistrationDetails but I cant figure out the Enforced status from them.
I noticed that this shows only one MFA Method for each user. If a user has multiple MFA options configured in their myaccount.microsoft.com or their aka.ms/MFASetup user screens, then only one is selected for your report.
If you compare the outputs of your script and this script, you can see what I mean:
Get-MsolUser -All | Select-Object @{N=’UserPrincipalName’;E={$_.UserPrincipalName}},@{N=’MFA Status’;E={if ($_.StrongAuthenticationRequirements.State){$_.StrongAuthenticationRequirements.State} else {“Disabled”}}},@{N=’MFA Methods’;E={$_.StrongAuthenticationMethods.methodtype}} | Export-Csv -Path c:\MFA_Report.csv -NoTypeInformation
To hide guest and disabled accounts we changed to this:
$Users = Get-MsolUser -All | ? { ($_.UserType -ne “Guest”) -and (-not($_.BlockCredential)) }
Hi Ali,
Thanks – that worked great on one of my tenants.
However, like you allude to at the bottom – in another tenant, it shows as all Not Enabled / MFA Not Used due to the fact that Azure AD Security Defaults are being used – and you are suggesting there is no Sync between this setup and the MFA Properties page.
You suggest disabling Ad Security Defaults – do you mean, just for the duration of running the script?
Yes, disable security defaults before you run the script to get an accurate MFA report. After that, enable security defaults.
sweet! thanks bro!
Thank you, Ali! very usefull
In my caso, i don’t know why i got this error
You cannot call a method on a null-valued expression.
At line:30 char:5
+ $Report.Add($ReportLine)
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
If I check the value of $ReportLine i notice that the script is reding all user as well but, because this error the file don’t contains any data. any idea?
I’m having the same issue. Please let us know Ali!
Very handy script!!!
Thank you, Ali. 🙂
Hi Ali!
Thanks for your article! One question though:
What is the difference between enabled and enforced MFA? Thanks!
Hi Iqbal,
All users start out Disabled. When you enroll users in per-user Azure AD Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.
Disabled
The default state for a user not enrolled in per-user Azure AD Multi-Factor Authentication.
Enabled
The user is enrolled in per-user Azure AD Multi-Factor Authentication, but can still use their password for legacy authentication. If the user hasn’t yet registered MFA authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser).
Enforced
The user is enrolled per-user in Azure AD Multi-Factor Authentication. If the user hasn’t yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state.
Hi Ali,
Is it possible to add the mailbox type (usermailbox or shared mailbox) to the report. I was playing with $User.RecipientType or RecipientTypeDetails but I can’t get it right.
What can I do to add it to the script?
Thanks in advance!
Rudi
Hi Rudi,
Install Exchange Online PowerShell V2 module and add the Connect-ExchangeOnline cmdlet in the PowerShell script to retrieve the mailbox types.
Hi Ali,
since i am using an Unicode language , how do i make the csv report to dispaly the characters since they displayed as ???? . suppose a command to use UTF-8.
Regards
Udi
Hi Udi,
I added the -Encoding UTF8 parameter to the script. The CSV report will now display the Unicode characters.
Thanks, worked perfectly.
Thanks for the script Ali, oddly for me I didn’t find the information the script provided was accurate. Nor the portal itself:
https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx
For example, users I knew for sure had it enabled is coming up as disabled, in the above portal.
And when I run your script the MFAUsed column is showing as “Not Enabled” and the MFAMethod is coming up as “MFA Not Used”.
So I found that when I had run the below script powershell this then showed a more accurate result:
Get-MsolUser -UserPrincipalName user@contoso.com | select DisplayName,UserPrincipalName,@{N=”MFA Status”; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { “Disabled”}}} | FT -AutoSize
Have you ever experienced this?
You’re welcome, Abdush.
The script will create a report for per-user Office 365 Multi-Factor Authentication. I use the Get-MFAReport.ps1 script in different organizations, and it always gives me the correct values.
It looks like you use Azure Conditional Access Policy for MFA. However, the script will not work for it. At the moment, it’s not possible to create an accurate script when using Azure Conditional Access Policy for MFA.
Read more on how to move from per-user MFA to Conditional Access MFA.
Abdush is correct, MFAUsed is not the same as MFAenforced. Users can choose for themselfs to setup MFA, and after that they will still showup as ‘disabled’ in the MFA portal (second picure on this page).
In the MFA portal, you just indicate if MFA is required. And indeed, this can also be enforced by a conditional access policy.
So script results can be incorrect. I recommend running this:
Get-MsolGroupMember -GroupObjectId [id] -MemberObjectTypes User -All | Get-MsolUser | select UserPrincipalName,@{N=”MFA Status”; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { “Disabled”}}} | Export-Csv -Path C:\Temp\results.csv
When a user chooses to use MFA, that doesn’t mean the user will be “Enabled” or “Enforced”. That’s why it’s correct that it will show the MFA status for that user as “Disabled” in the Microsoft 365 MFA portal.
You still have to “Enable” or “Enforce” the user from the Microsoft 365 MFA portal or with PowerShell. After that, it will apply MFA to the user.
That’s how it works and the correct behavior.
Hey Ali thanks so much for this guide!
Hi Ali,
Thank you for this detailed article.
Is it possible to include the date of when MFA was enabled on the report? can you please assist with editing the script if is possible.
Thank you.
Hi Leonah,
Microsoft didn’t give us an option to get the enabled MFA date. So, it’s not possible to add it to the report script.
Great work. but I have users who are enforced, they is using Hardware token (I configured it last week) but your script is showing “Enforced”,”MFA Not Used”. What might be wrong here? Thank you
Difficult to tell as I can’t reproduce it myself.
I do have tokens and I tested it right now. It shows the user as “Enforced – Hardware token or authenticator app”.
Thanks, works fine.
Hello Ali,
Thank you for this detailed article.
I would like to have user’s email populated as one more attribute.
Please help out with the script for that.
Hi Amit,
I sent you an email with an updated version. It will show the user’s primary SMTP and their aliases (secondary SMTP addresses).
Brilliant! Thank you, Ali!
I need to add UserPrincipalName to the output. I have tried various syntax but have not been successful. Please help!
You’re welcome, Jeri.
I updated the script. The UserPrincipalName will show in the Out-GridView and CSV report.
Works great !! Thanks Ali.
Nice little script, what would be handy is if it only displayed Licensed users ??
Change line 2
from:
to:
Quesstion,
this script will not show if a user enabled mfa on their own accord, this will only show if we manually went in and selected “enabled” on the per user mfa screen?
If that is the case is there a way to add to this report something to tell us that this user has *some kind of* mfa enabled, even though it wasnt done via the normal admin enabling mfa for the user?
Also would be good if this report could exclude disabled users.