There are many ways to determine if users have MFA enabled on their Office 365 accounts including viewing MFA status via the Office 365 Admin Portal but in some cases MFA is enabled via Security Groups and the Admin portal will not display if users have MFA enabled or not.
Below are a few different Powershell commands that can be used to report users MFA status.
In order to run these commands you will need to connect to your Office 365 tenant using powershell. Instructions on how to do this can be found here: http://itwalkthroughs.com/knowledge-base/connect-to-office-365-via-powershell-with-mfa-enabled-account/
List MFA status of all users (Enabled or Disabled)
The following command will display a list of all Office 365 user accounts and their MFA status as Enforced or Disabled
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}Output:
List MFA Type of all users (SMS, App, Disabled)
The following command will display a list of all Office 365 user accounts and their MFA Type. E.G it will show if they are using MFA via the SMS Push method or the Authenticator App or Disabled
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}} | FT -AutoSizeOutput:
List all users that have MFA enabled only
The following command will display generate a list of ONLY the users who have MFA enabled
Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 1} | Select-Object -Property UserPrincipalName | Sort-Object userprincipalnameOutput:
List all users that have DONT HAVE MFA enabled only
The following command will display generate a list of users who DONT have MFA enabled
Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName | Sort-Object userprincipalnameOutput:
List MFA status of all “licensed” users and export to a csv file
The following command will export to csv a list of the MFA status of all licensed users. The file will be exported to the folder C:\export so this folder needs to exist.
Get-MsolUser -all | where {$_.isLicensed -eq $true} | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}} | Export-Csv -NoTypeInformation C:\export\MFAStatus.csvOutput:
