One of the recent requests I got from a customer, was how to list all of the existing users In Office 365 which are Enabled for MFA together with their relevant settings.
To address this request, I’ve wrote a PowerShell script that lists the relevant users data and it can be download from here.
The Script export the following properties:
- DisplayName
- UserPrincipalName
- IsLicensed
- MFAState
- RememberDevicesNotIssuedBefore
- StrongAuthenticationUserDetailsPhoneNumber
- StrongAuthenticationUserDetailsEmail
- DefaultStrongAuthenticationMethodType
Code:
#==================================================================================================
#==================================================================================================
#
# Author : Guy Bachar
# Links : guybachar.net | @GuyBachar
# Getting all Users that are MFA Enabled and their Devices
#
# Ver 1.0: 04/28/2017 Initial Script.
# Ver 1.1: 07/05/2017 Adding CSV Features
# Ver 1.2: 08/10/2017 Adding more logging and status notifications
#
#==================================================================================================
#==================================================================================================
#--------------------------------------------------------------------------------------------------
#
# Main Script Execution
#
#--------------------------------------------------------------------------------------------------
# Connect to MSOL
Write-Host "Connecting MSOL Online" -ForegroundColor Green
Connect-MsolService -Credential (Get-Credential -ErrorAction SilentlyContinue) -ErrorAction SilentlyContinue
if (Get-MsolDomain) { Write-Host "Conneced to O365 MSOL Online" -ForegroundColor Green} else {Write-Host "Can't Connect to O365 Online, exiting." -ForegroundColor Red ;exit}
# Get all MFA Enabled users
Write-Host "Collecting Enabled MFA Users from MSOnline" -ForegroundColor Green
$MFAUsers = Get-Msoluser -all | Where-Object {$_.StrongAuthenticationMethods -like "*"}
if ($MFAUsers) { Write-Host "Found $($MFAUsers.Count) Users which are enabled for MFA" -ForegroundColor Green } else {Write-Host "No MFA Users were found, exiting." -ForegroundColor Red; exit}
# Setting Array to gather Users Information
$Results = @()
$UserCounter = 1
# Running on MFA Enabled All Users
Write-Host "Processing Invdividual Users, please wait" -ForegroundColor Green
foreach ($User in $MFAUsers)
{
Write-Host "Processing #$UserCounter Out Of #$($MFAUsers.Count): Working on User $($User.UserPrincipalName)" -ForegroundColor Cyan
$UserCounter +=1
$StrongAuthenticationRequirements = $User | Select-Object -ExpandProperty StrongAuthenticationRequirements
$StrongAuthenticationUserDetails = $User | Select-Object -ExpandProperty StrongAuthenticationUserDetails
$StrongAuthenticationMethods = $User | Select-Object -ExpandProperty StrongAuthenticationMethods
$Results += New-Object PSObject -property @{
DisplayName = $User.DisplayName -replace "#EXT#",""
UserPrincipalName = $user.UserPrincipalName -replace "#EXT#",""
IsLicensed = $user.IsLicensed
MFAState = $StrongAuthenticationRequirements.State
RememberDevicesNotIssuedBefore = $StrongAuthenticationRequirements.RememberDevicesNotIssuedBefore
StrongAuthenticationUserDetailsPhoneNumber = $StrongAuthenticationUserDetails.PhoneNumber
StrongAuthenticationUserDetailsEmail = $StrongAuthenticationUserDetails.Email
DefaultStrongAuthenticationMethodType = ($StrongAuthenticationMethods | Where {$_.IsDefault -eq $True}).MethodType
}
}
# Select Users Details and export to CSV
Write-Host "Exoprting Details to CSV..." -ForegroundColor Green
$Results | Select-Object `
DisplayName, `
UserPrincipalName, `
IsLicensed, `
MFAState, `
RememberDevicesNotIssuedBefore, `
StrongAuthenticationUserDetailsPhoneNumber, `
StrongAuthenticationUserDetailsEmail, `
DefaultStrongAuthenticationMethodType `
| Export-Csv -NoTypeInformation .\MFAEnabledUsers-$(Get-Date -Format "yyyy-MM-dd").csv -Force