MFA Status CSV Report of Microsoft 365/Azure AD Users – Bulk Enforce MFA

Overview

In some cases a customer will want to know the Multi-Factor Authentication (MFA) status of all of their Office 365 users (or a subset of users). Currently the best way to do this is using Powershell.

There are three settings that a user account can be set to:

  • Disabled – MFA is not required to sign in at all
  • Enabled – MFA has been enabled for the user but they haven’t enrolled in MFA, they can bypass this screen and remain “Enabled” but not enforced. They should be prompted to register each time they log in
  • Enforced – The user has either completed the enrolment process or they have been administratively “Enforced” to use MFA. They must setup MFA in order for their Office 365 apps to work.

Prerequisites

  • You will need the MSOnline Powershell module. To install this open Powershell as administrator and type
Install-Module msonline
  • You will also need to download the “Microsoft Exchange Online Powershell module” from the Office 365 portal. (In the Exchange Management console under the “Hybrid” tab)

Generating a report of the current MFA Status (All Users)

Connect-MsolService

$Users = Get-MsolUser -all

$Users | select DisplayName,Title,State,@{N='Email';E={$_.UserPrincipalName}},@{N='StrongAuthenticationRequirements';E={($_.StrongAuthenticationRequirements.State)}} | Export-Csv -NoTypeInformation C:\temp\Users.csv 

Make sure you amend the folder location at the end of the command to an accessible location and you can name the file what you like.

Generating a report of the current MFA Status (Some Users) – Based on Title Attribute

The commands for this are very similar as generating a CSV for all users, however you just need to add a “where” statement to the Powershell. You need to carry out steps 1 and 2 of the first section before doing this. For example:

$Users = Get-MsolUser -all | Where-Object {$_.Title -eq "Director"}
  
$Users | select DisplayName,Title,State,@{N='Email';E={$_.UserPrincipalName}},@{N='StrongAuthenticationRequirements';E={($_.StrongAuthenticationRequirements.State)}} | Export-Csv -NoTypeInformation C:\temp\Users.csv

Generating a report of the current MFA Status (Guest Users)

The commands are again very similar to the above. Just the Get-MsolUser differs as it looks for users whose account is a guest within your tenant.

$users = get-msoluser -all | ? {$_.UserType -eq "Guest"}
$Users | select DisplayName,Title,State,@{N='Email';E={$_.UserPrincipalName}},@{N='StrongAuthenticationRequirements';E={($_.StrongAuthenticationRequirements.State)}} | Export-Csv -NoTypeInformation C:\temp\Users.csv

Changing the MFA Status (All Users)

The following commands are used to Enforce MFA for every user account in the organisation. You will need to connect to the MsolSevice using steps 1 and 2 from the first section.

WARNING: Only do this if you are sure what you are doing. Enforcing MFA for all users can stop multiple users from logging in and generate a lot of calls. I would recommend Enforcing only for groups of users (see next section)

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement 
$auth.RelyingParty = "*" 
$Users = Get-MsolUser -all 
$auth.State = "Enforced" 
$auth.RememberDevicesNotIssuedBefore = (Get-Date) 
$Users | Foreach{ Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $auth} 

Changing the MFA Status (Some Users)

Rather than Enforcing for all users it is much safer to do it on groups of users, so that any calls can be dealt with in batches. The commands are similar to the above but the Get-MSolUser step can be used with a “Where” statement to just select some users.

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement 
$auth.RelyingParty = "*" 
$Users = Get-MsolUser -all | Where-Object {$_.State -eq "West Midlands"} 
$auth.State = "Enforced" 
$auth.RememberDevicesNotIssuedBefore = (Get-Date) 
$Users | Foreach{ Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $auth}