Update 17 March 2020, I have updated the Get-AzMFAStatus script and also added a Get-AzMFADeploymentStats.ps1 t
I’m in the process of supporting one of our clients to enable Azure Multifactor Authentication for all their users because at a later stage we want to introduce Conditional Access. In a larger environment it’s probably a good idea to start informing users about MFA, why and how it works. Then ask users to start registering themselves. In our case we’re using the Converged registration for self-service password reset and Azure Multi-Factor Authentication which is currently in preview. Then give users a bit of time so they can register themselves, and at some point, you’re going to enable AzureAD Conditional access policies that for example require MFA authentication when users connect from a non-managed device.
The big question is, when is that “at some point” the right time? Unfortunately there is no build-in report within the Azure portal that tells you how many users have registered for MFA already. Well that’s not entirely true, If you have an AzureAD P2 or EM+S E5 plan then you have access to AzureAD Identity Protection, that does allow you to see the impact status in case you were to enforce MFA though Identity Protection.
But there is no way to drill into a detailed user list. So, who would you send a kind e-mail to remind them to register for MFA? Following the principle of “when there is no solution yet, then build one” I created the below PowerShell script that retrieves various MFA related information for all or a specified users.
Important: You must have appropriate permissions to run the script, if you don’t have the necessary permissions in AzureAD to see a user’s Authentication Contact information, the script will run but deliver false results, because the data is only shown to those that have the permissions, also in PowerShell.
i get the below error when i execute the script
PS C:\Temp> .\Get-AzMFAStatus.ps1
At C:\Temp\Get-AzMFAStatus.ps1:82 char:43
+ [cmdletbinding(DefaultParameterSetName=’User’)]
+ ~
Missing statement after ‘=’ in named argument.
At C:\Temp\Get-AzMFAStatus.ps1:82 char:43
+ [cmdletbinding(DefaultParameterSetName=’User’)]
+ ~
Missing closing ‘)’ in expression.
At C:\Temp\Get-AzMFAStatus.ps1:82 char:43
+ [cmdletbinding(DefaultParameterSetName=’User’)]
+ ~
Attribute argument must be a constant or a script block.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingExpressionInNamedArgument
I connected to Azure Instance using Connect-MsolService but when i execute the script .\Get-AzMFAStatus.ps1 i dont get any output at all eventhough i am a global admin. Could you please help me with how to execute the script. Sorry i am new to Powershell.
This was what i was looking for, any modules that needs to be loaded first?
You need to have the msonline module installed
Is is possible to tell the MFA enrollment status for accounts that have MFA enabled only via conditional access?
Hi Alex, is there a way to pull a last update time once the user has updated their MFA account?
This does not run for me. May i know the module and the order to run them?
Hi Alex,
Thanks very much for this, I found it very useful. I think I may have spotted a cut & paste typo in Get-AzMFAStatus.ps1:
On lines 158, 161 & 164, where you have:
{$_.MethodType -eq “PhoneAppOTPIsDefault”}).isDefault
{$_.MethodType -eq “TwoWayVoiceMobileIsDefault”}).isDefault
{$_.MethodType -eq “OneWaySMSIsDefault”}).isDefault
I think that is meant to be:
{$_.MethodType -eq “PhoneAppOTP”}).isDefault
{$_.MethodType -eq “TwoWayVoiceMobile”}).isDefault
{$_.MethodType -eq “OneWaySMS”}).isDefault
David