During a recent audit we wanted to confirm what users had MFA enabled in Office 365. We use conditional access policy to enforce MFA.
We wanted to check each users to see if they had setup MFA and had a method configured. We also wanted to get information on licensing status and assigned licenses.
The only pre-req for using the script is that the MSOnline Powershell module is installed.
To install the MSOline module open and admin PowerShell windows and run
Install-Module -Name MSOnlineTo confirm the module is installed run the below command.
Get-Module -ListAvailable MSOnline
First we need to connect to MS Online to do this run
Connect-MsolService Once connected to check the MFA status I will be using the StrongAuthenticationMethods properties as if MFA is configured for the user there will be a default method set.
For users that haven’t configured MFA no StrongAuthenticationMethods is set.
Below are the 4 methods available for MFA.
OneWaySMS
TwoWayVoiceMobile
PhoneAppOTP
PhoneAppNotification
In the script I only want to return the default method.
There is only one mandatory parameter for the export path where the report will be exported to.
The below is an example of how to run the report.
.\Office365_MFA_Report.ps1 -ExportPath C:\temp
Below is what the output will look like.
The full script can be downloaded from the below link.
Scripts/Office365_MFA_Report.ps1 at master · TheSleepyAdmin/Scripts (github.com)
TheSleepyAdmins 
Can you add the phone nr to the script? What lines do I need to add to export the PhoneNumber?
LikeLike
Hi Stephan
The phone number should save under StrongAuthenticationUserDetails.PhoneNumber attribute.
To get the number added to the report you can modify the $props hash table.
Phone = DefualtMethod = $user.StrongAuthenticationUserDetails.PhoneNumber
and I would just add the below to the second table.
Phone = “N/A”
I will try update the script in the next few days.
LikeLike
Defualt ??? or Default typo ?
LikeLike
Yep was a typo in name have fixed it now.
LikeLike
Hi
Did you manage to update the script to show the Telephone number used to enroll with.
Thanks
LikeLike
Hi
I did update the script but didn’t update on Github. Just updated it now.
LikeLike
Thans for the script! When I run it, I don’t get anything under the Default Method (not even N/A) but have confirmed that users do have a default setup. Any thoughts?
LikeLike
Hi Todd
Had a look there I had a typo in the results select object for default method. I will update the script to fix this.
LikeLike
Tried the updated script and it works – thanks again!
LikeLike
Hi, I ran this script today and the Defult Method was Blank for all users
LikeLike
Hi Mahins
You can try run the command I post in a the other response.
LikeLike
Hi, very useful script, thanks for sharing
I ran the script and the Defult method column for all users were blank, could you let me know the reason for that
LikeLike
Hi
You can try run the command I post in a the other response.
LikeLike