Microsoft’s 365 enrollment has three states: Enabled, Enforced, and Disabled. Enabled means that a user has, or will be prompted to enroll for multi-factor authentication. However, if they do not complete the enrollment and you do not have any type of enforcement policy, the account will continue to be authenticated without MFA. Once a person has completed the enrollment their account’s status is changed to Enforced. MFA is required from that point forward. An administrator can manually set an account to Enforced, but that account may not be able to logon and complete the enrollment on their own.
Enable per-user Multi-Factor Authentication – Azure Active Directory | Microsoft Docs
The multi-factor authentication page in Microsoft 365 admin portal will list all the users and show their states, but organizations with lots of users, SharePoint or Teams external accounts, and the like may have a difficult time displaying the data they need. The script below will list all licensed Microsoft 365 users that do not have an MFA state of “Enforced”.
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential
Get-MsolUser -all | Where {$_.islicensed -like "True"} |
Select DisplayName,UserPrincipalName,@{Name='MFAStatus';
Expression= {If($_.StrongAuthenticationRequirements.Count -ne 0)
{$_.StrongAuthenticationRequirements[0].State}
Else {'Disabled'}
}
} | Where {$_.MFASTATUS -ne 'enforced'}By removing the last filter you get a list of all licensed users and their MFA Status. You could easily out put the results to a file or HTML report.
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential
Get-MsolUser -all | Where {$_.islicensed -like "True"} |
Select DisplayName,UserPrincipalName,@{Name='MFAStatus';
Expression= {If($_.StrongAuthenticationRequirements.Count -ne 0)
{$_.StrongAuthenticationRequirements[0].State}
Else {'Disabled'}
}
}
techbloggingfool.com 
1 Comment