PowerShell: List Microsoft 365 Accounts that do not have MFA Enforced

Microsoft’s 365 enrollment has three states: Enabled, Enforced, and Disabled. Enabled means that a user has, or will be prompted to enroll for multi-factor authentication. However, if they do not complete the enrollment and you do not have any type of enforcement policy, the account will continue to be authenticated without MFA. Once a person has completed the enrollment their account’s status is changed to Enforced. MFA is required from that point forward. An administrator can manually set an account to Enforced, but that account may not be able to logon and complete the enrollment on their own.

Enable per-user Multi-Factor Authentication – Azure Active Directory | Microsoft Docs

The multi-factor authentication page in Microsoft 365 admin portal will list all the users and show their states, but organizations with lots of users, SharePoint or Teams external accounts, and the like may have a difficult time displaying the data they need. The script below will list all licensed Microsoft 365 users that do not have an MFA state of “Enforced”.

$UserCredential = Get-Credential
    Connect-MsolService -Credential $UserCredential

Get-MsolUser -all | Where {$_.islicensed -like "True"} | 
    Select DisplayName,UserPrincipalName,@{Name='MFAStatus'; 
        Expression= {If($_.StrongAuthenticationRequirements.Count -ne 0)
        {$_.StrongAuthenticationRequirements[0].State} 
            Else {'Disabled'}
        }
    } | Where {$_.MFASTATUS -ne 'enforced'}

By removing the last filter you get a list of all licensed users and their MFA Status. You could easily out put the results to a file or HTML report.

$UserCredential = Get-Credential
    Connect-MsolService -Credential $UserCredential

Get-MsolUser -all | Where {$_.islicensed -like "True"} | 
    Select DisplayName,UserPrincipalName,@{Name='MFAStatus'; 
        Expression= {If($_.StrongAuthenticationRequirements.Count -ne 0)
        {$_.StrongAuthenticationRequirements[0].State} 
            Else {'Disabled'}
        }
    }

About Kevin Trent

IT professional with almost 30 years of experience in Infrastructure, Architecting, Administration, Development, and Communications.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s