1. Home
  2. Office 365
  3. Use Powershell to Find Which Office 365 Users Have MFA Enabled
  1. Home
  2. PowerShell
  3. Use Powershell to Find Which Office 365 Users Have MFA Enabled

Use Powershell to Find Which Office 365 Users Have MFA Enabled

There are many ways to determine if users have MFA enabled on their Office 365 accounts including viewing MFA status via the Office 365 Admin Portal but in some cases MFA is enabled via Security Groups and the Admin portal will not display if users have MFA enabled or not.
Below are a few different Powershell commands that can be used to report users MFA status.
In order to run these commands you will need to connect to your Office 365 tenant using powershell. Instructions on how to do this can be found here: http://itwalkthroughs.com/knowledge-base/connect-to-office-365-via-powershell-with-mfa-enabled-account/

List MFA status of all users (Enabled or Disabled)

The following command will display a list of all Office 365 user accounts and their MFA status as Enforced or Disabled

Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}

Output:

List MFA Type of all users (SMS, App, Disabled)

The following command will display a list of all Office 365 user accounts and their MFA Type. E.G it will show if they are using MFA via the SMS Push method or the Authenticator App or Disabled

Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}} | FT -AutoSize

Output:

List all users that have MFA enabled only

The following command will display generate a list of ONLY the users who have MFA enabled

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 1} | Select-Object -Property UserPrincipalName | Sort-Object userprincipalname

Output:

List all users that have DONT HAVE MFA enabled only

The following command will display generate a list of users who DONT have MFA enabled

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName | Sort-Object userprincipalname

Output:

List MFA status of all “licensed” users and export to a csv file

The following command will export to csv a list of the MFA status of all licensed users. The file will be exported to the folder C:\export so this folder needs to exist.

Get-MsolUser -all | where {$_.isLicensed -eq $true} | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}} | Export-Csv -NoTypeInformation C:\export\MFAStatus.csv

Output:

Updated on November 19, 2022

Was this article helpful?

Related Articles

Leave a Comment