Export Office 365 Users MFA Status to CSV 

What is MFA?

Multi-factor Authentication (MFA) plays a vital role in securing user accounts. As the name suggests, it uses multiple methods to identify an authorized user. You can get to know more about what is MFA, how it works and how to execute a PowerShell script with MFA enabled account using our Connect Exchange Online with MFA blog.

 

MFA in Office 365

To protect your office 365 environment, you need to configure MFA for user and admin accountsBefore dive into setting up MFA for users in your tenant, you should understand various MFA status. There are three settings that a user account can be set to: 

  1. Disabled – MFA is not required to sign in. This is the default state for new users. 
  2. Enabled – The user has been enrolled in multi-factor authentication but has not completed the registration process. They will be prompted to complete the process next time they log in.
  3. Enforced – The user has either completed the enrollment process or they have been administratively “Enforced” to use MFA. They must set up MFA to login Office 365 apps.

All users start out Disabled. When you enroll users in Azure MFA, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. 

 

How to Check if MFA is Enabled in Office 365 using PowerShell?

You can get a list of users with their MFA status through Office 365 Admin Center, but you can’t view other necessary information like MFA activation status, Configured MFA methods, default MFA methods, MFA Phone number, MFA mail id, license status admin roles, etc. With Powershell, you can get all the necessary information.

Note: If you want to view all the information with the Graphical User Interface(GUI), you can try Office 365 Reporting tool by AdminDroid.

We have written a PowerShell script to export Office 365 users’ MFA status along with many useful information about the user account. The Script will return MFA enabled and enforced users by default. If you want to list MFA disabled users, you need to use DisabledOnly param. 

 

 Download Script: GetMFAStatus.ps1

 

Script Highlights: 

  • The result can be filtered based on MFA status. i.e., you can filter MFA enabled users/enforced users/disabled users alone. For example using the ‘EnabledOnly‘ flag you shall export Office 365 users’ MFA enabled status to CSV file.
  • Exports result to CSV file. 
  • Result can be filtered based on Admin users.
  • You can filter result to display Licensed users alone.
  • You can filter result based on SignIn Status (SignIn allowed/denied).
  • The script produces different output files based on MFA status
  • You can use this script to get users’ MFA status set by Conditional Access.
  • The script can be executed with MFA enabled account. 
  • Using the ‘Admin Roles’ column, you can find users with admin roles that are not protected with MFA. For example, you can find Global Admins without MFA.
  • The script is scheduler friendlyi.e., credentials can be passed as parameter instead of saving inside the script. 

 

Export MFA Status Report  – Sample Output: 

The exported MFA status report will look similar to below screenshots. 

MFA enabled users report (for Enabled/Enforced users): 

MFA enabled user report has the following attributes: Display Name, User Principal Name, MFA Status, Activation Status, Default MFA Method, All MFA Methods, MFA Phone, MFA Email, License Status, IsAdmin, Admin Roles, SignIn Status.

Get MFA status PowerShell

 

MFA disabled users Report: 

MFA disabled user report has the following attributes: Display Name, User Principal Name, Department, MFA Status, License Status, Is Admin, Admin Roles, SignIn Status.
MFA Status report

 

How to Get MFA Status Report Using PowerShell? 

This All-in-One PowerShell script allows you to generate 10 different kind of Office 365 MFA status report. By default, the script will return MFA enabled and enforced users report.

You can use the params/switches to get more granular MFA status report.

How can I filter Office 365 MFA Report?

Get a Report on Users’ MFA Enabled Status:

As an Office 365 admin, often you ask ‘How to check if MFA is enabled in office 365’? The solution is here. By using EnabledOnly param, you can export MFA enabled users to CSV file. 

 

Export Office 365 Users’ MFA Enforced Status Report to CSV:

Some users may enabled MFA but not enforced (registration process not completed) for MFA. You can get a list of MFA enforced users using -EnforcedOnly param. 

 

List Office 365 Users Without MFA:

MFA provides an additional level of security to accounts. To view MFA disabled users, you can run this script with -DisabledOnly param.

By referring to this report, admins can enable MFA for a specific user(s) or all users.

 

Export Office 365 Admins Without MFA:

As admin accounts have more privileges, it requires special attention. According to a recent survey, 78% of Microsoft 365 admins don’t activate MFA for their accounts. To find admins without multi-factor authentication, run the script using  AdminOnly param. 

The exported MFA report lists admin accounts(users) that are not protected with MFA. By referring to this report, you can enable MFA to secure administrator accounts.

 

Export Licensed Users’ MFA Status Report 

 Instead of generating MFA status report for all the users, you can get MFA status for licensed users alone. You can use LicensedUserOnly param to get licensed users’ MFA status   

  • To view MFA activation status for licensed users,

  • To view all the licensed users who have not configured MFA,

 

Export Users’ MFA Status Based on Sign-In Status

 Most organizations keep former employees’ accounts in a disabled state. So, we have SignInAllowed param, to filter the result based on SignIn status,

  • To view sign-in allowed users without MFA

  • To list sign-in denied users with MFA,

 

Note: 

You can use multiple filters together to get a more granular MFA status report. For example, 

  • You can get a list of MFA status enabled users whose sign-in status is denied.

  • You can get a list of MFA disabled admin users whose sign-in status is allowed. 

 

How can I Schedule MFA Status Report? 

You can get the MFA status report periodically, by scheduling the PowerShell script in the Task Scheduler. You can schedule this script by explicitly mentioning the credential, as follows:

To know more about scheduling PowerShell script, refer to our blog: Schedule PowerShell script using Task Scheduler.

 

Get More Detailed Office 365 MFA Reports:

Are you tired of manually executing scripts and sending the result to email? If YES, I’d suggest you try AdminDroid Office 365 reporting tool.

AdminDroid has a dedicated MFA dashboard and more detailed MFA reports. You can schedule them and send the report to the preferred email addresses. Also, you can apply the filter on any columns to see only the required information.

MFA status dashboard

Get MFA status report

Additionally, AdminDroid offers 1500+ pre-built reports on various Office 365 services like Azure AD, Exchange Online, SharePoint Online, Microsoft Teams, etc. For your Office 365 reporting and auditing needs, you can try Microsoft 365 reporting tool by AdminDroid and see how it works for you.

Besides, AdminDroid Offers over 100+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. You can do customization, scheduling, and exporting. You can download Free Office 365 reporting tool by AdminDroid and see how it helps you.

We hope this post was helpful. If you modify the script and use it for other use cases, then please leave your idea in the comment section and help more admins.