Skip to main content

You don’t want to use PowerShell to list Microsoft 365/Microsoft Entra MFA users status? Instead, you want to use a Graphical User Interface (GUI). Do not worry because you can get all MFA details from the Microsoft Entra admin center. In this article, you will learn how to get MFA users authentication methods in Microsoft Entra and PowerShell. portal.

Configure MFA in Microsoft tenant

There are two ways to configure MFA in your Microsoft tenant:

  1. Configure MFA with Conditional Access (Azure)
  2. Configure per-user MFA (Microsoft 365)

We recommend option 1 because you have more control and more features to configure. But it requires Microsoft Entra ID P1 or Microsoft Entra ID P2 license. So, if you can’t afford those Entra ID editions, choose option 2, which is free.

While at it, read the article Prevent MFA fatigue attacks in organization and enable the settings shown for extra protection.

Important: Enable MFA for every tenant because it’s CRUCIAL.

Suppose you have Microsoft Entra ID P1 or P2 and configured per-user MFA but want to move to Conditional Access MFA;

How to get all users MFA status in Microsoft Entra

Check which users have registered for MFA in the Microsoft Entra admin center by following these steps:

  1. Sign in to Microsoft Entra admin center
  2. Expand Identity > Protection
  3. Click on Authentication methods
  4. Select User registration details

Note: You need a Microsoft Entra ID P1 or P2 license to see the user registration details.

Get MFA status Microsoft Entra user registration details
  1. Check the below columns to get the MFA user account status:
  • Multifactor authentication capable
  • Default multifactor authentication method
  • Methods registered
Get MFA status Microsoft Entra report

What if you want to get the same report but with PowerShell? Let’s look at that in the next step.

Get users MFA status with Microsoft Graph PowerShell

An excellent way to get all the users authentication methods is with Microsoft Graph PowerShell.

The Get-AuthenticationMethods.ps1 script will get all the users default MFA method and registered authentication methods and export them to a CSV file.

For every user, it gathers the following information:

  1. Id
  2. UserPrincipalName
  3. IsAdmin
  4. DefaultMfaMethod
  5. MethodsRegistered
  6. IsMfaCapable
  7. IsMfaRegistered
  8. IsPasswordlessCapable
  9. IsSsprCapable
  10. IsSsprEnabled
  11. IsSsprRegistered
  12. IsSystemPreferredAuthenticationMethodEnabled
  13. LastUpdatedDateTime

Step 1. Prepare Get-AuthenticationMethods PowerShell script

Create two folders on the (C:) drive:

  • Temp
  • Scripts

Download the Get-AuthenticationMethods.ps1 PowerShell script and place it in C:\scripts folder. The script will export the CSV file to the C:\temp folder.

Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Another option is to copy and paste the below code into Notepad. Give it the name Get-AuthenticationMethods.ps1 and place it in the C:\scripts folder.

<#
    .SYNOPSIS
    Get-AuthenticationMethods.ps1

    .DESCRIPTION
    Export users authentication methods report from Micrososoft Graph and know which MFA method
    is set as default for each user and what MFA methods are registered for each user.

    .LINK
    www.traceroute.net/get-mfa-status-entra/

    .NOTES
    Written by: traceroute
    Website:    www.traceroute.com
    LinkedIn:   linkedin.com/in/traceroute

    .CHANGELOG
    V1.00, 10/12/2023 - Initial version
#>

# Export path for CSV file
$csvPath = "C:\Temp\AuthenticationReport.csv"

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All", "AuditLog.Read.All"

try {
    # Fetch user registration detail report from Microsoft Graph
    $Users = Get-MgBetaReportAuthenticationMethodUserRegistrationDetail -All

    # Create custom PowerShell object and populate it with the desired properties
    $Report = foreach ($User in $Users) {
        [pscustomobject]@{
            Id                                           = $User.Id
            UserPrincipalName                            = $User.UserPrincipalName
            UserDisplayName                              = $User.UserDisplayName
            IsAdmin                                      = $User.IsAdmin
            DefaultMfaMethod                             = $User.DefaultMfaMethod
            MethodsRegistered                            = $User.MethodsRegistered -join ','
            IsMfaCapable                                 = $User.IsMfaCapable
            IsMfaRegistered                              = $User.IsMfaRegistered
            IsPasswordlessCapable                        = $User.IsPasswordlessCapable
            IsSsprCapable                                = $User.IsSsprCapable
            IsSsprEnabled                                = $User.IsSsprEnabled
            IsSsprRegistered                             = $User.IsSsprRegistered
            IsSystemPreferredAuthenticationMethodEnabled = $User.IsSystemPreferredAuthenticationMethodEnabled
            LastUpdatedDateTime                          = $User.LastUpdatedDateTime
        }
    }
    # Output custom object to GridView
    $Report | Out-GridView -Title "Authentication Methods Report"

    # Export custom object to CSV file
    $Report | Export-Csv -Path $csvPath -NoTypeInformation -Encoding utf8

    Write-Host "Script completed. Report exported successfully to $csvPath" -ForegroundColor Green
}
catch {
    # Catch errors
    Write-Host "An error occurred: $_" -ForegroundColor Red
}
  • Line 22: Edit the CSV file path

Step 2. Install Microsoft Graph PowerShell

Run Windows PowerShell as administrator and Install Microsoft Graph PowerShell.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Step 3. Connect to Microsoft Graph PowerShell

Connect to Microsoft Graph PowerShell.

Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All", "AuditLog.Read.All"

Enter your global administrator credentials and accept the Microsoft Graph permissions request.

Step 4. Run Get-AuthenticationMethods PowerShell script

Get all the users authentication methods with PowerShell. Run the below command to run the script Get-AuthenticationMethods.ps1.

c:\scripts\.\Get-AuthenticationMethods.ps1

An Out-GridView will show columns with all the users and their information.

Out-GridView report

Step 5. Open Authentication Methods report

The Get-AuthenticationMethods.ps1 PowerShell script exports all users authentication methods to CSV file. Find the file AuthenticationReport.csv in the path C:\temp.

Get MFA status Microsoft Entra temp folder

Open the CSV file with your favorite application. In our example, it’s Microsoft Excel.

CSV file temp folder

That’s it!

Multi-Factor authentication FAQs

There will be questions about when the status Capable and Not Capable appear for the user account in the list. Here are the main questions that you might have and their answers.

What is the difference between Capable and Not Capable?

  • Capable: MFA is set up for the user account
  • Not Capable: MFA is not set up for the user account

When does Multi-Factor Authentication appear as Capable?

It will show as Capable if the user completes the MFA wizard configuration. So as long as the user didn’t finish the MFA setup, it will appear as Not Capable.

If you enable or enforce per-user MFA for the user, and the user didn’t configure MFA, it still shows as Not Capable. The same applies if you configure MFA Conditional Access and add the user to the policy. If the user does not configure MFA, it shows as Not Capable.

Do per-user MFA and Conditional Access MFA appear in the list?

Yes, per-user MFA and Conditional Access MFA users and their authentication methods will appear in the list.

Important: Disable per-user MFA for all users when enabling MFA using Conditional Access.

Note: For the user accounts that show as Not Capable, contact the users and remind them to go through the MFA setup wizard.

Leave a Reply