In this post, I am going to show you how you can use PowerShell to export a report on the MFA status of all users in Microsoft 365. This will give you a clear overview of the current posture of your users MFA settings.
It is also especially helpful to view your user’s MFA status in a clear and concise way if you are planning to roll out conditional access in your environment to enforce MFA, but do not have an Azure subscription to enable log analytics.
The only other option to view your user’s MFA status is to use the Registration methods webpage in Microsoft Entra, however, this portal does not utilise Microsoft Graph behind the scenes.
Additionally, if you want to learn how to enforce the use of more secure authentication methods, such as preventing the use of SMS authentication, check out my tutorial on how to enable the require authentication strength setting in Conditional Access.
Pre-requisites
For this script to run you must have global admin access to your Microsoft 365 tenant. This is to ensure you can read all the relevant information that will be exported and are able to consent to the required Graph API permissions.
You should also have the Microsoft.Graph.Beta PowerShell module installed. If you are unsure how to do this, check out my post: How To Install the Microsoft Graph PowerShell Module.
Export user MFA status with PowerShell
The script to export each user’s MFA information is fairly simple. It will start by connecting to the Microsoft Graph service where right away you will see an interactive prompt for you to log in and consent to the permissions.
You can either copy and paste the below script into PowerShell, or you can save it as a .ps1 file and run it that way.
The report will export this data to a .csv file at “c:\temp\m365mfareport.csv”. You can change this on the last line of the script.
#Define scope to consent to Microsoft Graph
$Scopes = @(“UserAuthenticationMethod.Read.All”, “AuditLog.Read.All”)
#Connect to Microsoft Graph
Connect-MgGraph -scopes $Scopes
#create a new object
$allusers = Get-MgBetaReportAuthenticationMethodUserRegistrationDetail | Select UserPrincipalName, MethodsRegistered, UserPreferredMethodForSecondaryAuthentication
#Export report to CSV file
$Report = [System.Collections.Generic.List[Object]]::new()
forEach ($user in $allusers) {
$obj = [PSCustomObject][ordered]@{
"Username" = $user.UserPrincipalName
"Methods registered" = $user.MethodsRegistered -join ", "
"Default method" = $user.UserPreferredMethodForSecondaryAuthentication
}
$report.Add($obj)
}
$report | Export-CSV -Encoding UTF8 -NoTypeInformation "c:\temp\m365mfareport.csv"
Thanks for the information, it helps me a lot. It took overnight to create the report as i have 5k users. How can i get the report for few target users only?
Hey Zheff, you can modify the following line to limit the users:
$Users = Get-MsolUser -All | Where-Object { $_.UserType -ne “Guest” }
Or if you already have a user list in CSV format:
$Users = Import-CSV C:\path\file.csv
I copied this script, but get the following when trying to run it. Any ideas?
At C:\Users\downloads\List_of_all_Users_MFA.ps1:2 char:52
+ $Scopes = @(“UserAuthenticationMethod.Read.Allâ€, “AuditLog.Read …
+ ~
Missing argument in parameter list.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingArgument
Hey, did you use the ‘Copy’ function when you hover over the code? I did and it works fine for me! 🙂