Generate MFA Status CSV Report of Office 365 Users and Bulk Enforce MFA

Overview

In some cases a customer will want to know the Multi-Factor Authentication (MFA) status of all of their Office 365 users (or a subset of users). Currently the best way to do this is using Powershell.

There are three settings that a user account can be set to:

  • Disabled – MFA is not required to sign in at all
  • Enabled – MFA has been enabled for the user but they haven’t enrolled in MFA, they can bypass this screen and remain “Enabled” but not enforced. They should be prompted to register each time they log in
  • Enforced – The user has either completed the enrolment process or they have been administratively “Enforced” to use MFA. They must setup MFA in order for their Office 365 apps to work.

Prerequisites

  • You will need the Microsoft Online Services Sign-in Assistant installed
  • You will also need to download the “Microsoft Exchange Online Powershell module” from the Office 365 portal. (In the Exchange Management console under the “Hybrid” tab)

Generating a report of the current MFA Status (All Users)

  1. Open the Exchange Online Powershell Module on your machine and type Connect-MsolService
  2. Type $Users = Get-MsolUser -all
  3. Type $Users | select DisplayName,Title,State,@{N=’Email’;E={$_.UserPrincipalName}},@{N=’StrongAuthenticationRequirements’;E={($_.StrongAuthenticationRequirements.State)}} | Export-Csv -NoTypeInformation C:\temp\Users.csv
    Make sure you amend the folder location at the end of the command to an accessible location and you can name the file what you like.

Generating a report of the current MFA Status (Some Users)

The commands for this are very similar as generating a CSV for all users, however you just need to add a “where” statement to the Powershell. You need to carry out steps 1 and 2 of the first section before doing this. For example:

$Users = Get-MsolUser -all | Where-Object {$_.Title -eq “Director”}

$Users | select DisplayName,Title,State,@{N=’Email’;E={$_.UserPrincipalName}},@{N=’StrongAuthenticationRequirements’;E={($_.StrongAuthenticationRequirements.State)}} | Export-Csv -NoTypeInformation C:\temp\Users.csv

Changing the MFA Status (All Users)

The following commands are used to Enforce MFA for every user account in the organisation. You will need to connect to the MsolSevice using steps 1 and 2 from the first section.

WARNING: Only do this if you are sure what you are doing. Enforcing MFA for all users can stop multiple users from logging in and generate a lot of calls. I would recommend Enforcing only for groups of users (see next section)

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

$auth.RelyingParty = “*”

$Users = Get-MsolUser -all

$auth.State = “Enforced”

$auth.RememberDevicesNotIssuedBefore = (Get-Date)

$Users | Foreach{ Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $auth}

 

Changing the MFA Status (Some Users)

Rather than Enforcing for all users it is much safer to do it on groups of users, so that any calls can be dealt with in batches. The commands are similar to the above but the Get-MSolUser step can be used with a “Where” statement to just select some users.

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

$auth.RelyingParty = “*”

$Users = Get-MsolUser -all | Where-Object {$_.State -eq “West Midlands”}

$auth.State = “Enforced”

$auth.RememberDevicesNotIssuedBefore = (Get-Date)

$Users | Foreach{ Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $auth}