Fetching Azure AD users MFA status using Powershell !

 

Azure_MFA

 

Multi-factor authentication (MFA) is a method of access control in which two or more ways of authentication mechanisms are used to authenticate a user and allow access. Azure provides MFA solution for Active Directory users and can be enabled using the Azure MFA portal.

mfa_portala

Currently, the API provided by Microsoft for Azure AD users does not return the MFA status/details. This information might become available in future as part of API but for now Powershell is the only option.

User MFA status value is present in the StrongAuthenticationRequirements list object of User Profile. The 3 possible values are-Enabled, Enforced and Disabled.

Powershell script to fetch list of users with MFA status

$secpasswd = ConvertTo-SecureString "{Azure Password}" -AsPlainText -Force ; $mycreds = New-Object System.Management.Automation.PSCredential ("{Azure Username}", $secpasswd);Connect-MsolService -Credential $mycreds ;$RawData = Get-Msoluser |  select UserPrincipalName,StrongAuthenticationRequirements,ObjectId,WhenCreated;

$Data = ForEach($User in $RawData){

$Result = New-Object PSObject;

$Result | Add-Member -MemberType NoteProperty –name UserPrincipalName –value NotSet;

$Result | Add-Member -MemberType NoteProperty –name WhenCreated –value NotSet;

$Result | Add-Member -MemberType NoteProperty –name MFAState –value NotSet;

$Result | Add-Member -MemberType NoteProperty –name MFADateTime –value NotSet;

$Result | Add-Member -MemberType NoteProperty –name ObjectId –value NotSet;

$Result.UserPrincipalName = $User.UserPrincipalName;

$Result.WhenCreated= $User.WhenCreated;

$Result.ObjectId= $User.ObjectId;

$Temp = $User.StrongAuthenticationRequirements;

if($Temp.State){

$Result.MFAState= $Temp.State;}

if($Temp.RememberDevicesNotIssuedBefore){

$Result.MFADateTime=$Temp.RememberDevicesNotIssuedBefore;}

$Result;

};$Data;

 

The set of commands above, first logs in to the Azure tenant using MsolService module and then gets the user profile with selected fields. Will try to write a separate post for setting up the MsolService module in powershell.

These commands can be altered to return other fields in the response as per requirement. For setting MFA status of users, the same powershell script can be altered by using Set-Msoluser in place of Get-Msoluser.

MFA_status

Thanks for checking out.

Please share, like and comment

Categories
Comments
All comments.
Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.