During a recent audit we wanted to confirm what users had MFA enabled in Office 365. We use conditional access policy to enforce MFA.
We wanted to check each users to see if they had setup MFA and had a method configured. We also wanted to get information on licensing status and assigned licenses.
The only pre-req for using the script is that the MSOnline Powershell module is installed.
To install the MSOline module open and admin PowerShell windows and run
Install-Module -Name MSOnlineTo confirm the module is installed run the below command.
Get-Module -ListAvailable MSOnline
First we need to connect to MS Online to do this run
Connect-MsolService Once connected to check the MFA status I will be using the StrongAuthenticationMethods properties as if MFA is configured for the user there will be a default method set.
For users that haven’t configured MFA no StrongAuthenticationMethods is set.
Below are the 4 methods available for MFA.
OneWaySMS
TwoWayVoiceMobile
PhoneAppOTP
PhoneAppNotification
In the script I only want to return the default method.
There is only one mandatory parameter for the export path where the report will be exported to.
The below is an example of how to run the report.
.\Office365_MFA_Report.ps1 -ExportPath C:\temp
Below is what the output will look like.
The full script can be downloaded from the below link.
Scripts/Office365_MFA_Report.ps1 at master · TheSleepyAdmin/Scripts (github.com)
TheSleepyAdmins 
Can you add the phone nr to the script? What lines do I need to add to export the PhoneNumber?
LikeLike
Hi Stephan
The phone number should save under StrongAuthenticationUserDetails.PhoneNumber attribute.
To get the number added to the report you can modify the $props hash table.
Phone = DefualtMethod = $user.StrongAuthenticationUserDetails.PhoneNumber
and I would just add the below to the second table.
Phone = “N/A”
I will try update the script in the next few days.
LikeLike
Defualt ??? or Default typo ?
LikeLike
Yep was a typo in name have fixed it now.
LikeLike