Skip to content

PowerShell: Report MFA Users for Azure AD (Office365)

With events like the MFA outage on Monday, a basic reporting for MFA Users might be handy.

Here is my approach:

#requires -Version 3.0 -Modules MSOnline
function Get-MFAUserReport
{
  <#
      .SYNOPSIS
      Get a Azure AD MFA User report

      .DESCRIPTION
      Get a Azure AD MFA User report, the function can export the report as CSV.
      The export is disabled by default.

      .PARAMETER Export
      Export the MFA Report to CSV?

      .PARAMETER Path
      Path of the MFA Export CSV

      .EXAMPLE
      PS> Get-MFAUserReport

      Get a Azure AD MFA User report

      .EXAMPLE
      PS> Get-MFAUserReport -Export

      Get a Azure AD MFA User report and export it to the default report (C:\scripts\PowerShell\exports\MFAUsers.csv)

      .EXAMPLE
      PS> Get-MFAUserReport -Export -Path 'C:\scripts\PowerShell\exports\AllMFAUsers.csv'

      Get a Azure AD MFA User report and export it to given report (C:\scripts\PowerShell\exports\AllMFAUsers.csv)

      .NOTES
      ParameterSet added
  #>

  [CmdletBinding(DefaultParameterSetName = 'Normal',
  SupportsShouldProcess = $true)]
  param
  (
    [Parameter(ParameterSetName = 'Export',
        ValueFromPipeline = $true,
    Position = 1)]
    [Alias('CSV')]
    [switch]
    $Export,
    [Parameter(ParameterSetName = 'Export',
        ValueFromPipeline = $true,
    Position = 2)]
    [string]
    $Path = 'C:\scripts\PowerShell\exports\MFAUsers.csv'
  )

  begin
  {
    # Cleanup
    $Report = @()
    $i = 0

    if ($pscmdlet.ShouldProcess('MFA Users', 'Get'))
    {
      # get all Accounts
      $Accounts = (Get-MsolUser -All | Where-Object -FilterScript {
          $_.StrongAuthenticationMethods -ne $Null
      } | Sort-Object -Property DisplayName)
    }
  }

  process
  {
    if ($pscmdlet.ShouldProcess('MFA Users', 'Process'))
    {
      foreach ($Account in $Accounts)
      {
        $AccountDisplayName = $Account.DisplayName
        Write-Verbose -Message ('Processing {0}' -f $AccountDisplayName)

        # Counter
        $i++

        # Select Methods
        $Methods = ($Account | Select-Object -ExpandProperty StrongAuthenticationMethods)
        $MFA = ($Account | Select-Object -ExpandProperty StrongAuthenticationUserDetails)
        $State = ($Account | Select-Object -ExpandProperty StrongAuthenticationRequirements)

        $Methods | ForEach-Object -Process {
          if ($_.IsDefault -eq $true)
          {
            $Method = $_.MethodType
          }
        }

        if ($State.State)
        {
          $MFAStatus = $State.State
        }
        else
        {
          $MFAStatus = 'Disabled'
        }

        $Object = [PSCustomObject][Ordered]@{
          User      = $Account.DisplayName
          UPN       = $Account.UserPrincipalName
          MFAMethod = $Method
          MFAPhone  = $MFA.PhoneNumber
          MFAEmail  = $MFA.Email
          MFAStatus = $MFAStatus
        }

        # Add Obejct to report
        $Report += $Object
      }
    }
  }

  end
  {
    if ($pscmdlet.ShouldProcess('MFA Users', 'Report'))
    {
      Write-Verbose -Message ('{0} accounts are MFA-enabled' -f $i)

      if ($pscmdlet.ParameterSetName -eq 'Export')
      {
        $Report | Export-Csv -NoTypeInformation -Path $Path -Force
      }
      else
      {
        # Dump to console
        $Report
      }
    }
  }
}

Published inPowerShell

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *