Export Office 365 Users MFA Status to CSV

Multi-factor Authentication (MFA) plays a vital role in securing user accounts. As the name suggests, it uses multiple methods to identify an authorized user. You can get to know more about what is MFA, how it works and how to execute a PowerShell script with MFA enabled accounts.

To protect your office 365 environment, you need to configure MFA for user and admin accounts. Before dive into setting up MFA for users in your tenant, you should understand various MFA status. There are three settings that a user account can be set to:

1. Disabled – MFA is not required to sign in. This is the default state for new users.
2. Enabled – The user has been enrolled in multi-factor authentication but has not completed the registration process. They will be prompted to complete the process next time they log in.
3. Enforced – The user has either completed the enrollment process or they have been administratively “Enforced” to use MFA. They must set up MFA to login Office 365 apps.

All users start out Disabled. When you enroll users in Azure MFA, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced.

You can get a list of users with their MFA status through Office 365 Admin Center, but you can’t view other necessary information like MFA activation status, Configured MFA methods, default MFA methods, MFA Phone number, MFA mail id, license status admin roles, etc. With Powershell, you can get all the necessary information.

Note: If you want to view all the information with the Graphical User Interface(GUI), you can try Office 365 Reporting tool by AdminDroid.

We have written a PowerShell script to export Office 365 users’ MFA status along with many useful information about the user account. The Script will return MFA enabled and enforced users by default. If you want to list MFA disabled users, you need to use –DisabledOnly param.

Download Script: GetMFAStatus.ps1

• The result can be filtered based on MFA status. i.e., you can filter MFA enabled users/enforced users/disabled users alone. For example using the ‘EnabledOnly‘ flag you shall export Office 365 users’ MFA enabled status to CSV file.
• Exports result to CSV file.
• Result can be filtered based on Admin users.
• You can filter result to display Licensed users alone.
• You can filter result based on SignIn Status (SignIn allowed/denied).
• The script produces different output files based on MFA status.
• You can use this script to get users’ MFA status set by Conditional Access.
• The script can be executed with MFA enabled account.
• Using the ‘Admin Roles’ column, you can find users with admin roles that are not protected with MFA. For example, you can find Global Admins without MFA.
• The script is scheduler friendly. i.e., credentials can be passed as parameter instead of saving inside the script.

The exported MFA status report will look similar to below screenshots.

MFA enabled users report (for Enabled/Enforced users):

MFA enabled user report has the following attributes: Display Name, User Principal Name, MFA Status, Activation Status, Default MFA Method, All MFA Methods, MFA Phone, MFA Email, License Status, IsAdmin, Admin Roles, SignIn Status.

MFA disabled users Report:

MFA disabled user report has the following attributes: Display Name, User Principal Name, Department, MFA Status, License Status, Is Admin, Admin Roles, SignIn Status.

This All-in-One PowerShell script allows you to generate 10 different kind of Office 365 MFA status report. By default, the script will return MFA enabled and enforced users report.

You can use the params/switches to get more granular MFA status report.

As an Office 365 admin, often you ask ‘How to check if MFA is enabled in office 365’? The solution is here. By using –EnabledOnly param, you can export MFA enabled users to CSV file.

Some users may enabled MFA but not enforced (registration process not completed) for MFA. You can get a list of MFA enforced users using -EnforcedOnly param.

MFA provides an additional level of security to accounts. To view MFA disabled users, you can run this script with -DisabledOnly param.

By referring to this report, admins can enable MFA for a specific user(s) or all users.

As admin accounts have more privileges, it requires special attention. According to a recent survey, 78% of Microsoft 365 admins don’t activate MFA for their accounts. To find admins without multi-factor authentication, run the script using –AdminOnly param.

The exported MFA report lists admin accounts(users) that are not protected with MFA. By referring to this report, you can enable MFA to secure administrator accounts.

Instead of generating MFA status report for all the users, you can get MFA status for licensed users alone. You can use –LicensedUserOnly param to get licensed users’ MFA status

• To view MFA activation status for licensed users,

• To view all the licensed users who have not configured MFA,

Most organizations keep former employees’ accounts in a disabled state. So, we have –SignInAllowed param, to filter the result based on SignIn status,

• To view sign-in allowed users without MFA

• To list sign-in denied users with MFA,

Note:

You can use multiple filters together to get a more granular MFA status report. For example,

• You can get a list of MFA status enabled users whose sign-in status is denied.

• You can get a list of MFA disabled admin users whose sign-in status is allowed.

You can get the MFA status report periodically, by scheduling the PowerShell script in the Task Scheduler. You can schedule this script by explicitly mentioning the credential, as follows:

To know more about scheduling PowerShell script, refer to our blog: Schedule PowerShell script using Task Scheduler.

Are you tired of manually executing scripts and sending the result to email? If YES, I’d suggest you try AdminDroid Office 365 reporting tool.

AdminDroid has a dedicated MFA dashboard and more detailed MFA reports. You can schedule them and send the report to the preferred email addresses. Also, you can apply the filter on any columns to see only the required information. MFA reports includes,

1. MFA Activated Users – Lists all users who have activated MFA on their accounts.
2. Users with MFA – Lists all users who have MFA enabled on their accounts
3. Users without MFA – Lists all users who do not have MFA enabled on their accounts.
4. MFA Enabled Users – Lists all users who have MFA enabled on their accounts
5. MFA Enforced Users – Lists all users who have MFA enforced on their accounts.
6. MFA Non-Activated Users – Lists users who have MFA enabled but have not yet activated.
7. MFA Device Details – Lists device details that users have used to authenticate with MFA.
8. MFA User Details – Provides information about individual users’ MFA settings.
9. Conditional Access Policies with MFA – Lists the MFA configured CA policies.
10. MFA Enabled CA Policies: condition details – Provides an overview of conditions that are associated with MFA-enabled CA policies.
11. MFA Included/Excluded Users based on CA Policies – Provides detailed information on MFA included and excluded users based on CA policies.

Besides, AdminDroid Offers over 120+ free reports and a handful of dashboards. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. You can do customization, scheduling, and exporting. You can download Free Azure AD reporter and see how it helps you.

Additionally, AdminDroid provides 1800+ pre-built reports and 30+ dashboards on various Office 365 services like Azure AD, Exchange Online, SharePoint Online, Microsoft Teams, etc. For your Office 365 reporting and auditing needs, you can try Microsoft 365 reporting tool by AdminDroid and see how it helps for you.

Additionally, just as you prioritize implementing MFA for users, it’s equally crucial to track the frequency of MFA prompts. Because, excessive prompting can hinder productivity and may even signal cyberattacks. Therefore, track it using the “Authentication prompts analysis workbook” in Entra ID. Finally, we hope this post was helpful. If you modify the script and use it for other use cases, then please leave your idea in the comment section and help more admins.