PowerShell : Entra MFA Status Script

If you are looking to get an Entra report for all the licensed users that have MFA enabled then you can turn to PowerShell to resolve this, you only need the licensed users to be reported on as unlicensed users cannot really activate MFA as they usually have no access to services in your tenant.

Script Output

This script will generate a support report where you can see the total number of users as a percentage of people with MFA enabled:


MFA - you should know about that!

MFA can include any MFA based login protection - however certificates are not classed as a MFA method, the full list is below, also note while voice and SMS is on the list they are not considered secure hence the strikethrough:

Microsoft Authenticator
Authenticator Lite (in Outlook)
Windows Hello for Business
FIDO2 security key
OATH hardware token (preview)
OATH software token
SMS
Voice call

Conditional Access (or CAP for Conditional Access Policies) will then enforce these protection methods as below, where you can Allow, Require MFA or Block:



The script 

All you need to do is connect to your tenant and the script will do the rest!

# Connect to Azure AD
Connect-AzureAD

# Initialize variables for counting users with MFA enabled
$totalUsers = 0
$usersWithMFA = 0

# Initialize an array to store user information
$userInfo = @()

# Get users with Office E5 licenses assigned
$licensedUsers = Get-AzureADUser -All $true | Where-Object { $_.AssignedLicenses -ne $null -and $_.AssignedLicenses.SkuID -contains "c7df2760-2c81-4ef7-b578-5b5392b571df" }

# Iterate through users with Office E5 licenses
foreach ($user in $licensedUsers) {
    $totalUsers++
    
    $userData = [PSCustomObject]@{
        'User' = $user.DisplayName
        'MFA Methods' = @()
        'MFA Status' = ""
    }
    
    # Get user's MFA information
    $mfaMethods = Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId
    
    foreach ($method in $mfaMethods) {
        $userData.'MFA Methods' += $method.DisplayName
    }

    # Check for MFA status
    if ($mfaMethods.Count -gt 0) {
        $usersWithMFA++
        $userData.'MFA Status' = "Enabled"
    } else {
        $userData.'MFA Status' = "Not enabled"
    }

    # Add user data to the array
    $userInfo += $userData
}

# Calculate percentage of users with MFA enabled
if ($totalUsers -gt 0) {
    $percentageMFAEnabled = ($usersWithMFA / $totalUsers) * 100
} else {
    $percentageMFAEnabled = 0
}

# Display summary information
Write-Host "Total Users with Office E5 Licenses: $totalUsers"
Write-Host "Users with MFA Enabled: $usersWithMFA"
Write-Host "Percentage of Users with MFA Enabled: $percentageMFAEnabled%"
Write-Host "-------------------------"

Optional Updates

Exclude certain UPNs from the list?

Simple, add this to the Get-AzureADUsers, its the bit in bold below, change the work string for your actual string:

# Get users with Office E5 licenses assigned, excluding specific username prefixes
$licensedUsers = Get-AzureADUser -All $true | Where-Object { 
    $_.AssignedLicenses -ne $null -and 
    $_.AssignedLicenses.SkuID -contains "c7df2760-2c81-4ef7-b578-5b5392b571df" -and
  $_.UserPrincipalName -notmatch "^string" -and
    $_.UserPrincipalName -notmatch "^string" -and
    $_.UserPrincipalName -notmatch "^string2" -and
    $_.UserPrincipalName -notmatch "^string3" -and
    $_.UserPrincipalName -notin $excludedUsernames
}

Exclude a certain ExtensionAttribute from the list

If you have lots of accounts that you need to exclude it may be easier to use the ExtensionAttribute value, many of these are not set, in this example if you set ExtensionAttribute to "NotUser" then it will be excluded.

# Get users with Office E5 licenses assigned, including only those with specific username prefixes and extension attributes
$licensedUsers = Get-AzureADUser -All $true | Where-Object { 
    $_.AssignedLicenses -ne $null -and 
    $_.AssignedLicenses.SkuID -contains "c7df2760-2c81-4ef7-b578-5b5392b571df" -and
    $_.UserPrincipalName -notin $excludedUsernames -and
    $_.extensionAttribute5 -ne "NotUser"  
}

Exclude Users from Search - based on the username exclusions

If you wish to exclude a list of usernames that start with the syntax in an external file then use this:

# Read excluded usernames from the text file
$excludedUsernames = Get-Content -Path "ExcludedUsernames.txt"

Then update the $licensedusers sections to this:

# Get users with Office E5 licenses assigned, excluding specific username prefixes
$licensedUsers = Get-AzureADUser -All $true | Where-Object { 
    $_.AssignedLicenses -ne $null -and 
    $_.AssignedLicenses.SkuID -contains "c7df2760-2c81-4ef7-b578-5b5392b571df" -and 
    $excludedUsernames | ForEach-Object { $_ -notlike "$($_)*" }
}

Show User Authentication in a table at the end of the script

If you wish to see a list of users and their authentication methods then add this to the end of the script:

# Display individual user information in a table
$userInfo | Format-Table -Property User, 'MFA Methods', 'MFA Status' -AutoSize

Export User Authentication to a CSV file

If you wish to see a list of users and their authentication methods in a CSV file use this instead: 

# Display individual user information in a table
$userInfo | Select-Object User, 'MFA Methods', 'MFA Status' | Export-Csv -Path "UserInfo.csv" -NoTypeInformation

Add the "Department " for the user from Entra

If you would like to include the department the user is located in then use this:

# Export individual user information to a CSV file
$userInfo | Select-Object User, Department, 'MFA Methods', 'MFA Status' | Export-Csv -Path "UserInfo_WithDepartment_Excluded.csv" -NoTypeInformation
Previous Post Next Post

نموذج الاتصال