Export Office 365 Users MFA Status to CSV
What is MFA?
Multi-factor Authentication (MFA) plays a vital role in securing user accounts. As the name suggests, it uses multiple methods to identify an authorized user. You can get to know more about what is MFA, how it works and how to execute a PowerShell script with MFA enabled account using our Connect Exchange Online with MFA blog.
MFA in Office 365
To protect your office 365 environment, you need to configure MFA for user and admin accounts. Before dive into setting up MFA for users in your tenant, you should understand various MFA status. There are three settings that a user account can be set to:
- Disabled – MFA is not required to sign in. This is the default state for new users.
- Enabled – The user has been enrolled in multi-factor authentication but has not completed the registration process. They will be prompted to complete the process next time they log in.
- Enforced – The user has either completed the enrollment process or they have been administratively “Enforced” to use MFA. They must set up MFA to login Office 365 apps.
All users start out Disabled. When you enroll users in Azure MFA, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced.
How to Check if MFA is Enabled in Office 365 using PowerShell?
You can get a list of users with their MFA status through Office 365 Admin Center, but you can’t view other necessary information like MFA activation status, Configured MFA methods, default MFA methods, MFA Phone number, MFA mail id, license status admin roles, etc. With Powershell, you can get all the necessary information.
Note: If you want to view all the information with the Graphical User Interface(GUI), you can try Office 365 Reporting tool by AdminDroid.
We have written a PowerShell script to export Office 365 users’ MFA status along with many useful information about the user account. The Script will return MFA enabled and enforced users by default. If you want to list MFA disabled users, you need to use –DisabledOnly param.
Download Script: GetMFAStatus.ps1
Script Highlights:
- The result can be filtered based on MFA status. i.e., you can filter MFA enabled users/enforced users/disabled users alone. For example using the ‘EnabledOnly‘ flag you shall export Office 365 users’ MFA enabled status to CSV file.
- Exports result to CSV file.
- Result can be filtered based on Admin users.
- You can filter result to display Licensed users alone.
- You can filter result based on SignIn Status (SignIn allowed/denied).
- The script produces different output files based on MFA status.For MFA enabled and enforced users, ‘MFA Enabled User Report’ will be generated. For MFA disabled users, ‘MFA Disabled User Report’ will be generated.
-
You can use this script to get users’ MFA status set by Conditional Access.
- The script can be executed with MFA enabled account.
-
Using the ‘Admin Roles’ column, you can find users with admin roles that are not protected with MFA. For example, you can find Global Admins without MFA.
- The script is scheduler friendly. i.e., credentials can be passed as parameter instead of saving inside the script.
Script Output:
Pre-requisites and script execution steps are available in our O365 users’ last logon time blog. Please refer the blog.
The exported report will look similar to below screenshots.
MFA enabled users report (for Enabled/Enforced users):
MFA enabled user report has the following attributes: Display Name, User Principal Name, MFA Status, Activation Status, Default MFA Method, All MFA Methods, MFA Phone, MFA Email, License Status, IsAdmin, Admin Roles, SignIn Status.
MFA disabled users Report:
MFA disabled user report has the following attributes: Display Name, User Principal Name, Department, MFA Status, License Status, Is Admin, Admin Roles, SignIn Status.
How to Export Office 365 Users MFA Status Report?
This All-in-One PowerShell script allows you to generate 10 different kind of Office 365 MFA status report. By default, the script will return MFA enabled and enforced users report.
1
|
./GetMFAStatus.ps1
|
You can use params/switches to get more granular MFA status report.
How can I filter the Output?
Export Office 365 users’ MFA enabled status to CSV file
As an Office 365 admin, often you ask ‘How to check if mfa is enabled in office 365’? Solution is here. You can use –EnabledOnly param in this script. Using this param, you can export Office 365 users’ MFA enabled status to CSV file.
1
|
./GetMFAStatus.ps1 -EnabledOnly
|
Export Office 365 users’ MFA enforced status to CSV file
Some users may enabled MFA status but not enforced (registration process not completed) for MFA. You can get list of MFA enforced users using -EnforcedOnly param.
1
|
./GetMFAStatus.ps1 -EnforcedOnly
|
Export Office 365 users’ MFA disabled status to CSV file
-DisabledOnly param used to filter output that only displays MFA disabled users. i.e,Users without MFA.
1
|
./GetMFAStatus.ps1 -DisabledOnly
|
Export Office 365 admins without MFA report to CSV file
As admin accounts has more privileges, it requires special attention. Using –AdminOnly param, you can export admin accounts(users) that not protected with MFA.
1
|
./GetMFAStatus.ps1 -AdminOnly -DisabledOnly
|
Export Licensed users’ MFA status report
You can use –LicensedUserOnly param to get licensed users’ MFA status
1
|
./GetMFAStatus.ps1 -LicensedUserOnly
|
Export Users’ MFA Status based on SignIn status
You can use –SignInAllowed param, to filter the result based on SignIn status,
- To list signin allowed users alone,
1
|
./GetMFAStatus.ps1 -SignInAllowed $True
|
- To list signin denied users alone,
1
|
./GetMFAStatus.ps1 -SignInAllowed $False
|
Note:
You can use multiple filters together, to get a more granular result. For example,
- You can get list of MFA status enabled users whose sign-in status is denied.
1
|
./GetMFAStatus.ps1 -EnabledOnly –SignInAllowed $False
|
- You can get list of disabled admin users whose sign-in status is allowed.
1
|
./GetMFAStatus.ps1 -DisabledOnly –AdminOnly –SignInAllowed $True
|
How can I Schedule this script?
You can schedule this script in task scheduler by explicitly mentioning the credential.
1
|
<Script Location>\.GetMFAStatus.ps1 -UserName <UserName> -Password <Password>
|
To know more about scheduling Powershell script, refer our blog: Schedule PowerShell script using Task Scheduler.