I’m in the process of supporting one of our clients to enable Azure Multifactor Authentication for all their users because at a later stage we want to introduce Conditional Access. In a larger environment it’s probably a good idea to start informing users about MFA, why and how it works. Then ask users to start registering themselves. In our case we’re using the Converged registration for self-service password reset and Azure Multi-Factor Authentication which is currently in preview. Then give users a bit of time so they can register themselves, and at some point, you’re going to enable AzureAD Conditional access policies that for example require MFA authentication when users connect from a non-managed device.
The big question is, when is that “at some point” the right time? Unfortunately there is no build-in report within the Azure portal that tells you how many users have registered for MFA already. Well that’s not entirely true, If you have an AzureAD P2 or EM+S E5 plan then you have access to AzureAD Identity Protection, that does allow you to see the impact status in case you were to enforce MFA though Identity Protection.
But there is no way to drill into a detailed user list. So, who would you send a kind e-mail to remind them to register for MFA? Following the principle of “when there is no solution yet, then build one” I created the below PowerShell script that retrieves various MFA related information for all or a specified users.
Important: You must have appropriate permissions to run the script, if you don’t have the necessary permissions in AzureAD to see a user’s Authentication Contact information, the script will run but deliver false results, because the data is only shown to those that have the permissions, also in PowerShell.