Export Office 365 Users MFA Status to CSV 

What is MFA? 

Multi-factor Authentication (MFA) plays a vital role in securing user accounts. As the name suggests, it uses multiple methods to identify an authorized user. You can get to know more about what is MFA, how it works and how to execute a PowerShell script with MFA enabled account using our Connect Exchange Online with MFA blog.

 

MFA in Office 365 

To protect your office 365 environment, you need to configure MFA for user and admin accountsBefore dive into setting up MFA for users in your tenant, you should understand various MFA status. There are three settings that a user account can be set to: 

  1. Disabled – MFA is not required to sign in. This is the default state for new users. 
  2. Enabled – The user has been enrolled in multi-factor authentication but has not completed the registration process. They will be prompted to complete the process next time they log in.
  3. Enforced – The user has either completed the enrollment process or they have been administratively “Enforced” to use MFA. They must set up MFA to login Office 365 apps.

All users start out Disabled. When you enroll users in Azure MFA, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. 

 

How to Export Office 365 Users MFA Status Report? 

You can get a list of users with their MFA status through Office 365 Admin Center, but you can’t view other necessary information like MFA activation status, Configured MFA methods, default MFA methods, MFA Phone number, MFA mail id, and license status. Currently, the best way to do this is by using PowerShell.  

We have written a PowerShell script to export Office 365 users’ MFA status along with many useful information about the user account. The Script will return MFA enabled and enforced users by default. If you want to list MFA disabled users, you need to use DisabledOnly param. 

 

Script Highlights: 

  • The result can be filtered based on MFA status. i.e., you can filter MFA enabled users/enforced users/disabled users alone. For example using the ‘EnabledOnly‘ flag you shall export Office 365 users’ MFA enabled status to CSV file.
  • Exports result to CSV file. 
  • Result can be filtered based on Admin users.
  • You can filter result to display Licensed users alone.
  • You can filter result based on SignIn Status (SignIn allowed/denied).
  • The script produces different output files based on MFA status.For MFA enabled and enforced users, ‘MFA Enabled User Report’ will be generated. For MFA disabled users, ‘MFA Disabled User Report’ will be generated. 
  • MFA enabled user report has the following attributes: Display Name, User Principal Name, MFA Status, Activation Status, Default MFA Method, All MFA Methods, MFA Phone, MFA Email, License Status, IsAdminSignIn Status. 
  • MFA disabled user report has the following attributes: Display Name, User Principal Name, Department, MFA Status, License Status, Is Admin, SignIn Status. 
  • You can use this script to get users’ MFA status set by Conditional Access.
  • The script can be executed with MFA enabled account. 
  • The script is scheduler friendlyi.e., credentials can be passed as parameter instead of saving inside the script. 

 You can Download the script from TechNet Gallery

 

Script Output: 

Pre-requisites and script execution steps are available in our  O365 users’ last logon time blog. Please refer the blog.  

The exported report will look similar to below screenshots. 

MFA enabled users report (for Enabled/Enforced users): 
Export Office 365 Users MFA status CSV
MFA disabled users Report: 

MFA status report

 

How can I filter the Output? 

You can use params to filter the output as per your need. 

Export Office 365 users’ MFA enabled status to CSV file

As an Office 365 admin, often you ask ‘How to check if mfa is enabled in office 365’? Solution is here. You can use EnabledOnly param in this script. Using this param, you can export Office 365 users’ MFA enabled status to CSV file. 

 

Export Office 365 users’ MFA enforced status to CSV file

      Some users may enabled MFA status but not enforced (registration process not completed) for MFA. You can get list of MFA enforced users using -EnforcedOnly param. 

 

Export Office 365 users’ MFA disabled status to CSV file

        -DisabledOnly param used to filter output that only displays MFA disabled users. i.e,Users without MFA.

 

Export admin users’ MFA status to CSV file

         As admin accounts has more privileges, it requires special attention. Using  AdminOnly param, you can export admin accounts(users) that not protected with MFA.

 

Export Licensed users’ MFA status report 

          You can use LicensedUserOnly param to get licensed users’ MFA status   

 

Export Users’ MFA Status based on SignIn status

         You can useSignInAllowed param, to filter the result based on SignIn status,

  • To list signin allowed users alone, 

  • To list signin denied users alone, 

 

Note: 

You can use multiple filters together, to get a more granular result. For example, 

  • You can get list of MFA status enabled users whose sign-in status is denied.

  • You can get list of disabled admin users whose sign-in status is allowed. 

 

How can I Schedule this script? 

You can schedule this script in task scheduler by explicitly mentioning the credential. 

To know more about scheduling Powershell script, refer our blog: Schedule PowerShell script using Task Scheduler.

 

We hope this post was helpful. If you modify the script and use it for other use cases, then please leave your idea in the comment section and help more admins.