locked
List Office 365 Users that have MFA "Disabled" RRS feed

  • Question

  • trying to list all users that have MFA disabled. This provides a good list of the status of ALL but I am trying to find a way to just show users that do not have it Enforced (ie Enabled, or Disabled).

    Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

    The field isn't registering as $null so looking for that doesn't work - or I couldn't get it to.

    Everything I found was to list those that are enabled, doesn't make sense to me as I would want to know who doesn't have it enabled or enforced.

    Please advise - thanks

    Thursday, May 31, 2018 4:08 PM

Answers

  • yes thank you - you have told me that before but in my defense - it is not all my fault.  As an example - I just ran what you posted and it returns no results.
    • Edited by dolejh Thursday, May 31, 2018 5:59 PM
    • Marked as answer by dolejh Thursday, May 31, 2018 6:12 PM
    Thursday, May 31, 2018 5:57 PM
  • Then do this:

    Get-MsolUser -all | 
        select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ 
            if($_.StrongAuthenticationRequirements.Count -ne 0){ 
                $_.StrongAuthenticationRequirements[0].State
            } else { 
                'Disabled'}
            }
        }


    \_(ツ)_/

    • Marked as answer by dolejh Thursday, May 31, 2018 5:24 PM
    Thursday, May 31, 2018 5:18 PM

All replies

  • Try it like this:

    Get-MsolUser -all | 
        select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ 
            if($_.StrongAuthenticationRequirements.Count -ne 0){ 
                $_.StrongAuthenticationRequirements
            } else { 
                'Disabled'}
            }
        }


    \_(ツ)_/




    • Edited by jrv Thursday, May 31, 2018 4:22 PM
    Thursday, May 31, 2018 4:17 PM
  • The value is an array of requirements.


    \_(ツ)_/

    Thursday, May 31, 2018 4:22 PM
  • An easier method is:

    # list all users with no MFA requirements
    Get-MsolUser -all | 
        Where{$_.StrongAuthenticationRequirements -eq 0} |
        select DisplayName,UserPrincipalName


    \_(ツ)_/

    Thursday, May 31, 2018 4:24 PM
  • The fist one does a good job of listing disable in the field however it still shows all - how do I filter to JUST list the disabled please?

    The second one doesn't list anything at all but it is what I am looking for - just list the users that are disabled.

    Thank you for your help!

    John

    Thursday, May 31, 2018 5:08 PM
  • Example of select all

    DisplayName              UserPrincipalName                 StrongAuthenticationRequirements                                 
    -----------              -----------------                 --------------------------------                                 
    John Smith               john.smith@company.com        {Microsoft.Online.Administration.StrongAuthenticationRequirement}

    info            info@company.com    {}  

    {Microsoft.Online.Administration.StrongAuthenticationRequirement} would be an example of someone that has MFA enabled (enforced) and {} is a user that has nothing.

    My assumption would be to search for all of them that are -eq $null but that doesnt work for some reason.

    Thursday, May 31, 2018 5:14 PM
  • This works to list all that are enabled or enforced - but the opposite to list nont enabled or not enforced does not work.

    Get-MsolUser -all | Where{$_.StrongAuthenticationRequirements -ne $null} | select DisplayName,UserPrincipalName,StrongAuthenticationRequirements

    Thursday, May 31, 2018 5:17 PM
  • Then do this:

    Get-MsolUser -all | 
        select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ 
            if($_.StrongAuthenticationRequirements.Count -ne 0){ 
                $_.StrongAuthenticationRequirements[0].State
            } else { 
                'Disabled'}
            }
        }


    \_(ツ)_/

    • Marked as answer by dolejh Thursday, May 31, 2018 5:24 PM
    Thursday, May 31, 2018 5:18 PM
  • Get-MsolUser -all | 
        select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ 
            if($_.StrongAuthenticationRequirements.Count -ne 0){ 
                $_.StrongAuthenticationRequirements.State
            } else { 
                'Disabled'}
            }
        }

    Added .state to your first example - this will list better for enforced, enabled, or disabled.  It will work but again - ideally we just wanted the disabled users list.  Something to look at once a week to see who is disabled.  I can add a sort in to group them if there there is no way.  I also tried to use -ne to Enforced thinking that would work opposed to -eq $null but didnt work either.

    Thursday, May 31, 2018 5:21 PM
  • Added a sort since couldn't find a way to list just disabled - this will work - thanks for your help.

    Get-MsolUser -all |  Sort-Object -Property StrongAuthenticationRequirements |
        select DisplayName,UserPrincipalName,@{N="MFAStatus"; E={ 
            if($_.StrongAuthenticationRequirements.Count -ne 0){ 
                $_.StrongAuthenticationRequirements[0].State
            } else { 
                'Disabled'}
            }
        }

    Thursday, May 31, 2018 5:24 PM
  • You clearly need to learn PowerShell:

    Get-MsolUser -all |  
        select DisplayName,UserPrincipalName,@{N='MFAStatus'; E={ 
            if($_.StrongAuthenticationRequirements.Count -ne 0){ 
                $_.StrongAuthenticationRequirements[0].State
            } else { 
                'Disabled'}
            }
        } |
        Where{$_.MFASTATUS -eq 'disable'}
    


    \_(ツ)_/

    Thursday, May 31, 2018 5:42 PM
  • yes thank you - you have told me that before but in my defense - it is not all my fault.  As an example - I just ran what you posted and it returns no results.
    • Edited by dolejh Thursday, May 31, 2018 5:59 PM
    • Marked as answer by dolejh Thursday, May 31, 2018 6:12 PM
    Thursday, May 31, 2018 5:57 PM
  • In coding we:

    gather data
    convert data
    sort data
    format output
    output.

    That order will give us the best and most reliable outcome, easier to code, easier to debug, easier to modify.

    It is a way of thinking about coding. 

    We also try to become aware of data sciences and the usage of same.

    Also look into "design patterns"


    \_(ツ)_/

    Thursday, May 31, 2018 6:00 PM
  • Thank you for the off topic advice.
    Thursday, May 31, 2018 6:07 PM
  • If you are curious or interested in how to code well then track down those items and read about why they are important.

    Here is a simple starter: https://en.wikipedia.org/wiki/Software_design_pattern


    \_(ツ)_/

    Thursday, May 31, 2018 6:18 PM
  • If you need Users' MFA status along attributes like Display Name, User Principal Name, MFA Status, Activation Status, Default MFA Method, All MFA Methods, MFA Phone, MFA Email, License Status, IsAdmin, SignIn Status, you can use below script.

    List Office 365 MFA disabled users

    Script Highlights: 

    • The result can be filtered based on MFA status.i.e., you can filter MFA enabled users/enforced users/disabled users alone .
    • Result can be filtered based on Admin users.
    • You can filter result to display Licensed users alone.
    • You can filter result based on SignIn Status (SignIn allowed/denied).
    • Exports result to CSVfile. 
    • The script produces different output files based on MFA status.For MFA enabled and enforced users, ‘MFA Enabled User Report’ will be generated. For MFA disabled users, ‘MFA Disabled User Report’ will be generated. 
    • MFA enabled user report has the following attributes: Display Name, User Principal Name, MFA Status, Activation Status, Default MFA Method, All MFA Methods, MFA Phone, MFA Email, License Status, IsAdminSignIn Status
    • MFA disabled user report has the following attributes: Display Name, User Principal Name, Department, MFA Status, License Status, Is Admin, SignIn Status. 
    • The script can be executed with MFA enabled account
    • The script is scheduler friendly. i.e., credentials can be passed as parameter instead of saving inside the script. 




    • Proposed as answer by Robert_Luck Thursday, May 9, 2019 12:41 PM
    • Edited by Kathy Cooper Friday, May 10, 2019 7:55 AM
    Thursday, May 9, 2019 12:39 PM