Rolling out multi-factor authentication can be a tricky thing, especially if you have a large user community. Sometimes it’s best to break it down into bitesize chunks, tackling one group of users at a time.
This script will report the MFA status for a group, either giving a simple summary (99/100 users have MFA enabled) or generating a CSV report that details exactly who has MFA and what method they have enabled. See example report below:
| DisplayName | UserPrincipalName | BlockCredential | MFA Status |
| Peppa Pig | peppa.pig@example.com | FALSE | PhoneAppNotification |
| Mummy Pig | mummy.pig@example.com | FALSE | TwoWayVoiceMobile |
| Daddy Pig | daddy.pig@example.com | FALSE | OneWaySMS |
| George Pig | george.pig@example.com | FALSE | Disabled |
| Granny Pig | granny.pig@example.com | FALSE | PhoneAppOTP |
Copy the script below, and change the group names and IDs to match the Azure Active Directory groups you want to report on. It’s also useful if you wish to change users to use the more secure one-time passcodes (see post here).
# GetMFAGroupStatus.ps1
#
# This script will generate a summary or a report of MFA status for a group of users.
# Adjust the group names and IDs to your environment before running.
#
#
# Written by sysadmintales.com
#
function Select-Folder($message='Select a folder', $path = 0) {
$object = New-Object -comObject Shell.Application
$folder = $object.BrowseForFolder(0, $message, 0, $path)
if ($folder -ne $null) {
$folder.self.Path
}
}
Connect-MsolService
DO {
$date = Get-Date -format "ddmmyy-HHmm"
Write-Host "Groups:"
Write-Host "1 - GroupName1" #change GroupName1
Write-Host "2 - GroupName2" #change GroupName2
Write-Host "3 - GroupName3" #change GroupName3
Write-Host "4 - Single User"
$num = Read-Host "Please select an option"
$individual = ""
Switch ($num)
{
1 {$objectid = "GroupID1"} #change GroupID1
2 {$objectid = "GroupID2"} #change GroupID2
3 {$objectid = "GroupID3"} #change GroupID3
4 {$individual = Read-Host "Please enter email address"}
}
if ( $individual -eq "" ) {
$csv = Read-Host "Do you want to export a csv (y/n)"
if ($csv -eq "y") {
$path = Select-Folder
}
$users = Get-MsolGroupMember -GroupObjectId $objectid -All
$total = $users.Count
$count = 0
Write-Host "Processing users..."
$output = forEach ($user in $users) {
Get-MsolUser -UserPrincipalName $user.EmailAddress | select DisplayName,UserPrincipalName,BlockCredential,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}
$mfa = Get-MsolUser -UserPrincipalName $user.EmailAddress | Select @{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}
if ( $mfa -notlike "@{MFA Status=Disabled}" ) {
$count++
}
}
Write-Host "$count of $total have MFA enabled."
if ($csv -eq "y") {
$output | Export-CSV "$path\mfa-$date.csv"
Write-Host "CSV Exported"
}
}else {
write-host "Processing $individual..."
Get-MsolUser -UserPrincipalName $individual | select DisplayName,UserPrincipalName,BlockCredential,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}
}
$exit = Read-Host "Would you like to run another query (y/n)"
} Until ($exit -eq "n")
SysAdmin Tales 
Leave a Reply