Back
Featured image of post PowerShell: Report MFA Users for Azure AD (Office365)
PowerShell

PowerShell: Report MFA Users for Azure AD (Office365)

With events like the MFA outage on Monday, a basic reporting for MFA Users might be handy.

Here is my approach:

#requires -Version 3.0 -Modules MSOnline
function Get-MFAUserReport
{
  <#
      .SYNOPSIS
      Get a Azure AD MFA User report

      .DESCRIPTION
      Get a Azure AD MFA User report, the function can export the report as CSV.
      The export is disabled by default.

      .PARAMETER Export
      Export the MFA Report to CSV?

      .PARAMETER Path
      Path of the MFA Export CSV

      .EXAMPLE
      PS> Get-MFAUserReport

      Get a Azure AD MFA User report

      .EXAMPLE
      PS> Get-MFAUserReport -Export

      Get a Azure AD MFA User report and export it to the default report (C:\scripts\PowerShell\exports\MFAUsers.csv)

      .EXAMPLE
      PS> Get-MFAUserReport -Export -Path 'C:\scripts\PowerShell\exports\AllMFAUsers.csv'

      Get a Azure AD MFA User report and export it to given report (C:\scripts\PowerShell\exports\AllMFAUsers.csv)

      .NOTES
      ParameterSet added
  #>

	[CmdletBinding(DefaultParameterSetName = 'Normal',
						SupportsShouldProcess = $true)]
	param
	(
		[Parameter(ParameterSetName = 'Export',
					  ValueFromPipeline = $true,
					  Position = 1)]
		[Alias('CSV')]
		[switch]
		$Export,
		[Parameter(ParameterSetName = 'Export',
					  ValueFromPipeline = $true,
					  Position = 2)]
		[string]
		$Path = 'C:\scripts\PowerShell\exports\MFAUsers.csv'
	)

	begin
	{
		# Cleanup
		$Report = @()
		$i =

		if ($pscmdlet.ShouldProcess('MFA Users', 'Get'))
		{
			# get all Accounts
			$Accounts = (Get-MsolUser -All | Where-Object -FilterScript {
					$_.StrongAuthenticationMethods -ne $Null
				} | Sort-Object -Property DisplayName)
		}
	}

	process
	{
		if ($pscmdlet.ShouldProcess('MFA Users', 'Process'))
		{
			foreach ($Account in $Accounts)
			{
				$AccountDisplayName = $Account.DisplayName
				Write-Verbose -Message ('Processing {0}' -f $AccountDisplayName)

				# Counter
				$i++

				# Select Methods
				$Methods = ($Account | Select-Object -ExpandProperty StrongAuthenticationMethods)
				$MFA = ($Account | Select-Object -ExpandProperty StrongAuthenticationUserDetails)
				$State = ($Account | Select-Object -ExpandProperty StrongAuthenticationRequirements)

				$Methods | ForEach-Object -Process {
					if ($_.IsDefault -eq $true)
					{
						$Method = $_.MethodType
					}
				}

				if ($State.State)
				{
					$MFAStatus = $State.State
				}
				else
				{
					$MFAStatus = 'Disabled'
				}

				$Object = [PSCustomObject][Ordered]@{
					User = $Account.DisplayName
					UPN  = $Account.UserPrincipalName
					MFAMethod = $Method
					MFAPhone = $MFA.PhoneNumber
					MFAEmail = $MFA.Email
					MFAStatus = $MFAStatus
				}

				# Add Obejct to report
				$Report += $Object
			}
		}
	}

	end
	{
		if ($pscmdlet.ShouldProcess('MFA Users', 'Report'))
		{
			Write-Verbose -Message ('{0} accounts are MFA-enabled' -f $i)

			if ($pscmdlet.ParameterSetName -eq 'Export')
			{
				$Report | Export-Csv -NoTypeInformation -Path $Path -Force
			}
			else
			{
				# Dump to console
				$Report
			}
		}
	}
}
Copyright © 2016 - 2021 by Joerg Hochwald. All rights reserved.