Export All Microsoft 365 Users MFA Status with PowerShell

  • Post author:
  • Post category:Main
  • Post last modified:April 12, 2024
  • Reading time:3 mins read

In this post, I am going to show you how you can use PowerShell to export a report on the MFA status of all users in Microsoft 365. This will give you a clear overview of the current posture of your users MFA settings.

It is also especially helpful to view your user’s MFA status in a clear and concise way if you are planning to roll out conditional access in your environment to enforce MFA, but do not have an Azure subscription to enable log analytics.

The only other option to view your user’s MFA status is to use the Registration methods webpage in Microsoft Entra, however, this portal does not utilise Microsoft Graph behind the scenes.

Additionally, if you want to learn how to enforce the use of more secure authentication methods, such as preventing the use of SMS authentication, check out my tutorial on how to enable the require authentication strength setting in Conditional Access. 

Pre-requisites

For this script to run you must have global admin access to your Microsoft 365 tenant. This is to ensure you can read all the relevant information that will be exported and are able to consent to the required Graph API permissions.

You should also have the Microsoft.Graph.Beta PowerShell module installed. If you are unsure how to do this, check out my post: How To Install the Microsoft Graph PowerShell Module.

Export user MFA status with PowerShell

The script to export each user’s MFA information is fairly simple. It will start by connecting to the Microsoft Graph service where right away you will see an interactive prompt for you to log in and consent to the permissions.

You can either copy and paste the below script into PowerShell, or you can save it as a .ps1 file and run it that way.

The report will export this data to a .csv file at “c:\temp\m365mfareport.csv”. You can change this on the last line of the script.

#Define scope to consent to Microsoft Graph
$Scopes = @(“UserAuthenticationMethod.Read.All”, “AuditLog.Read.All”)

#Connect to Microsoft Graph
Connect-MgGraph -scopes $Scopes

#create a new object
$allusers = Get-MgBetaReportAuthenticationMethodUserRegistrationDetail | Select UserPrincipalName, MethodsRegistered, UserPreferredMethodForSecondaryAuthentication
   
#Export report to CSV file
$Report = [System.Collections.Generic.List[Object]]::new()
forEach ($user in $allusers) {
    $obj = [PSCustomObject][ordered]@{
        "Username" = $user.UserPrincipalName
        "Methods registered" = $user.MethodsRegistered -join ", "
        "Default method" = $user.UserPreferredMethodForSecondaryAuthentication
    }
    $report.Add($obj)
}
$report | Export-CSV -Encoding UTF8 -NoTypeInformation "c:\temp\m365mfareport.csv"

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 4 Comments

  1. Zheff

    Thanks for the information, it helps me a lot. It took overnight to create the report as i have 5k users. How can i get the report for few target users only?

    1. Daniel Bradley

      Hey Zheff, you can modify the following line to limit the users:

      $Users = Get-MsolUser -All | Where-Object { $_.UserType -ne “Guest” }

      Or if you already have a user list in CSV format:

      $Users = Import-CSV C:\path\file.csv

  2. Chris

    I copied this script, but get the following when trying to run it. Any ideas?

    At C:\Users\downloads\List_of_all_Users_MFA.ps1:2 char:52
    + $Scopes = @(“UserAuthenticationMethod.Read.Allâ€, “AuditLog.Read …
    + ~
    Missing argument in parameter list.
    + CategoryInfo : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : MissingArgument

    1. Daniel Bradley

      Hey, did you use the ‘Copy’ function when you hover over the code? I did and it works fine for me! 🙂

Leave a Reply