o365reports.com
Open in
urlscan Pro
172.67.189.32
Public Scan
Submitted URL: https://o365reports.com/2019/05/09/export-office-365-users-mfa-status-csv/#Download-Script%3A-GetMFAStatus.ps1
Effective URL: https://o365reports.com/2019/05/09/export-office-365-users-mfa-status-csv/
Submission: On February 09 via manual from CA — Scanned from CA
Effective URL: https://o365reports.com/2019/05/09/export-office-365-users-mfa-status-csv/
Submission: On February 09 via manual from CA — Scanned from CA
Form analysis 3 forms found in the DOM
GET https://o365reports.com/
<form role="search" method="get" class="search-form" action="https://o365reports.com/">
<div class="vs-input-group">
<i class="vs-icon vs-icon-search"></i>
<div class="input-container">
<input spellcheck="false" autocomplete="off" autocapitalize="off" type="text" value="" name="s" class="search-field" placeholder="Search o365reports.com" required="">
<i onclick="if (!window.__cfRLUnblockHandlers) return false; exitSearch()" class="exit-search vs-icon vs-icon-x input-clear-btn"></i>
<button aria-label="search-submit" type="submit" class="search-submit">
<i class="vs-icon-arrow-right"></i>
</button>
</div>
</div>
<script type="text/javascript">
function exitSearch() {
const inputField = document.querySelectorAll('.search-form .search-field');
if (document.body.classList.contains('search') || document.body.classList.contains('search-results')) {
const newURL = window.location.origin + window.location.pathname;
window.location.href = newURL;
} else {
inputField.forEach(field => {
field.value = '';
});
}
}
</script>
</form>GET https://o365reports.com/
<form role="search" method="get" class="search-form" action="https://o365reports.com/">
<div class="vs-input-group">
<i class="vs-icon vs-icon-search"></i>
<div class="input-container">
<input spellcheck="false" autocomplete="off" autocapitalize="off" type="text" value="" name="s" class="search-field" placeholder="Search o365reports.com" required="">
<i onclick="if (!window.__cfRLUnblockHandlers) return false; exitSearch()" class="exit-search vs-icon vs-icon-x input-clear-btn"></i>
<button aria-label="search-submit" type="submit" class="search-submit">
<i class="vs-icon-arrow-right"></i>
</button>
</div>
</div>
<script type="text/javascript">
function exitSearch() {
const inputField = document.querySelectorAll('.search-form .search-field');
if (document.body.classList.contains('search') || document.body.classList.contains('search-results')) {
const newURL = window.location.origin + window.location.pathname;
window.location.href = newURL;
} else {
inputField.forEach(field => {
field.value = '';
});
}
}
</script>
</form>POST #mc_signup
<form method="post" action="#mc_signup" class="subscribe-form" id="orb_signup_form">
<input type="hidden" id="orb_submit_type" name="mc_submit_type" value="js">
<input type="hidden" name="mcsf_action" value="mc_submit_signup_form">
<input type="hidden" id="_mc_submit_signup_form_nonce" name="_mc_submit_signup_form_nonce" value="e2a49b2825"> <input autocapitalize="off" autocomplete="off" spellcheck="false" type="email" placeholder="Your email" name="mc_mv_EMAIL"
id="mc_mv_EMAIL" value="">
<button type="submit" name="mc_signup_submit" id="orb_signup_submit" class="btn-subscribe" value="Subscribe">Subscribe</button>
</form>Text Content
Browse Categories
Home
Office 365 Reports
PowerShell Scripts
Tools
News
Security
Exchange Online
Office 365
SharePoint Online
All Posts
Office 365 Reports
o365reports.com
Home
Office 365 Reports
PowerShell Scripts
Tools
News
Security
Exchange Online
Office 365
SharePoint Online
All Posts
Exchange Online
May 9, 2019
EXPORT OFFICE 365 USERS MFA STATUS TO CSV
by Kathy Cooper
6 min read
96 Comments
WHAT IS MFA?
Multi-factor Authentication (MFA) plays a vital role in securing user accounts.
As the name suggests, it uses multiple methods to identify an authorized user.
You can get to know more about what is MFA, how it works and how to execute a
PowerShell script with MFA enabled accounts.
MFA IN OFFICE 365
To protect your office 365 environment, you need to configure MFA for user and
admin accounts. Before dive into setting up MFA for users in your tenant, you
should understand various MFA status. There are three settings that a user
account can be set to:
1. Disabled – MFA is not required to sign in. This is the default state for new
users.
2. Enabled – The user has been enrolled in multi-factor authentication but has
not completed the registration process. They will be prompted to complete
the process next time they log in.
3. Enforced – The user has either completed the enrollment process or they have
been administratively “Enforced” to use MFA. They must set up MFA to login
Office 365 apps.
All users start out Disabled. When you enroll users in Azure MFA, their state
changes to Enabled. When enabled users sign in and complete the registration
process, their state changes to Enforced.
HOW TO CHECK IF MFA IS ENABLED IN OFFICE 365 USING POWERSHELL?
You can get a list of users with their MFA status through Office 365 Admin
Center, but you can’t view other necessary information like MFA activation
status, Configured MFA methods, default MFA methods, MFA Phone number, MFA mail
id, license status admin roles, etc. With Powershell, you can get all the
necessary information.
Note: If you want to view all the information with the Graphical User
Interface(GUI), you can try Office 365 Reporting tool by AdminDroid.
We have written a PowerShell script to export Office 365 users’ MFA status along
with many useful information about the user account. The Script will return MFA
enabled and enforced users by default. If you want to list MFA disabled users,
you need to use –DisabledOnly param.
> DOWNLOAD SCRIPT: GETMFASTATUS.PS1
UPDATE: GET MFA STATUS REPORT USING MICROSOFT GRAPH POWERSHELL
Since ‘MsOnline’ and ‘AzureAD’ PowerShell modules are going to retire after
2022, we have written a script to export MFA status reports using Microsoft
Graph PowerShell. With this advanced script, you can generate 7+ MFA reports
with 10+ user/MFA properties. For more info, refer to: Export MFA status report
using MS Graph PowerShell
SCRIPT HIGHLIGHTS:
* The result can be filtered based on MFA status. i.e., you can filter MFA
enabled users/enforced users/disabled users alone. For example using the
‘EnabledOnly‘ flag you shall export Office 365 users’ MFA enabled status to
CSV file.
* Exports result to CSV file.
* Result can be filtered based on Admin users.
* You can filter result to display Licensed users alone.
* You can filter result based on SignIn Status (SignIn allowed/denied).
* The script produces different output files based on MFA status.
* You can use this script to get users’ MFA status set by Conditional Access.
* The script can be executed with MFA enabled account.
* Using the ‘Admin Roles’ column, you can find users with admin roles that are
not protected with MFA. For example, you can find Global Admins without MFA.
* The script is scheduler friendly. i.e., credentials can be passed as
parameter instead of saving inside the script.
EXPORT MFA STATUS REPORT – SAMPLE OUTPUT:
The exported MFA status report will look similar to below screenshots.
MFA ENABLED USERS REPORT (FOR ENABLED/ENFORCED USERS):
MFA enabled user report has the following attributes: Display Name, User
Principal Name, MFA Status, Activation Status, Default MFA Method, All MFA
Methods, MFA Phone, MFA Email, License Status, IsAdmin, Admin Roles, SignIn
Status.
MFA DISABLED USERS REPORT:
MFA disabled user report has the following attributes: Display Name, User
Principal Name, Department, MFA Status, License Status, Is Admin, Admin Roles,
SignIn Status.
HOW TO GET MFA STATUS REPORT USING POWERSHELL?
This All-in-One PowerShell script allows you to generate 10 different kind of
Office 365 MFA status report. By default, the script will return MFA enabled and
enforced users report.
PowerShell
./GetMFAStatus.ps1
1
./GetMFAStatus.ps1
You can use the params/switches to get more granular MFA status report.
HOW CAN I FILTER OFFICE 365 MFA REPORT?
GET A REPORT ON USERS’ MFA ENABLED STATUS:
As an Office 365 admin, often you ask ‘How to check if MFA is enabled in office
365’? The solution is here. By using –EnabledOnly param, you can export MFA
enabled users to CSV file.
PowerShell
./GetMFAStatus.ps1 -EnabledOnly
1
./GetMFAStatus.ps1 -EnabledOnly
EXPORT OFFICE 365 USERS’ MFA ENFORCED STATUS REPORT TO CSV:
Some users may enabled MFA but not enforced (registration process not completed)
for MFA. You can get a list of MFA enforced users using -EnforcedOnly param.
PowerShell
./GetMFAStatus.ps1 -EnforcedOnly
1
./GetMFAStatus.ps1 -EnforcedOnly
LIST OFFICE 365 USERS WITHOUT MFA:
MFA provides an additional level of security to accounts. To view MFA disabled
users, you can run this script with -DisabledOnly param.
PowerShell
./GetMFAStatus.ps1 -DisabledOnly
1
./GetMFAStatus.ps1 -DisabledOnly
By referring to this report, admins can enable MFA for a specific user(s) or all
users.
EXPORT OFFICE 365 ADMINS WITHOUT MFA:
As admin accounts have more privileges, it requires special attention. According
to a recent survey, 78% of Microsoft 365 admins don’t activate MFA for their
accounts. To find admins without multi-factor authentication, run the script
using –AdminOnly param.
PowerShell
./GetMFAStatus.ps1 -AdminOnly -DisabledOnly
1
./GetMFAStatus.ps1 -AdminOnly -DisabledOnly
The exported MFA report lists admin accounts(users) that are not protected with
MFA. By referring to this report, you can enable MFA to secure administrator
accounts.
EXPORT LICENSED USERS’ MFA STATUS REPORT
Instead of generating MFA status report for all the users, you can get MFA
status for licensed users alone. You can use –LicensedUserOnly param to get
licensed users’ MFA status
* To view MFA activation status for licensed users,
PowerShell
./GetMFAStatus.ps1 -LicensedUserOnly
1
./GetMFAStatus.ps1 -LicensedUserOnly
* To view all the licensed users who have not configured MFA,
PowerShell
./GetMFAStatus.ps1 -LicensedUserOnly -DisabledOnly
1
./GetMFAStatus.ps1 -LicensedUserOnly -DisabledOnly
EXPORT USERS’ MFA STATUS BASED ON SIGN-IN STATUS
Most organizations keep former employees’ accounts in a disabled state. So, we
have –SignInAllowed param, to filter the result based on SignIn status,
* To view sign-in allowed users without MFA
PowerShell
./GetMFAStatus.ps1 -SignInAllowed $True -DisabledOnly
1
./GetMFAStatus.ps1 -SignInAllowed $True -DisabledOnly
* To list sign-in denied users with MFA,
PowerShell
./GetMFAStatus.ps1 -SignInAllowed $False
1
./GetMFAStatus.ps1 -SignInAllowed $False
Note:
You can use multiple filters together to get a more granular MFA status report.
For example,
* You can get a list of MFA status enabled users whose sign-in status is
denied.
PowerShell
./GetMFAStatus.ps1 -EnabledOnly –SignInAllowed $False
1
./GetMFAStatus.ps1 -EnabledOnly –SignInAllowed $False
* You can get a list of MFA disabled admin users whose sign-in status is
allowed.
PowerShell
./GetMFAStatus.ps1 -DisabledOnly –AdminOnly –SignInAllowed $True
1
./GetMFAStatus.ps1 -DisabledOnly –AdminOnly –SignInAllowed $True
HOW CAN I SCHEDULE MFA STATUS REPORT?
You can get the MFA status report periodically, by scheduling the PowerShell
script in the Task Scheduler. You can schedule this script by explicitly
mentioning the credential, as follows:
PowerShell
<Script Location>\.GetMFAStatus.ps1 -UserName <UserName> -Password <Password>
1
<Script Location>\.GetMFAStatus.ps1 -UserName <UserName> -Password <Password>
To know more about scheduling PowerShell script, refer to our blog: Schedule
PowerShell script using Task Scheduler.
GET MORE DETAILED OFFICE 365 MFA REPORTS:
Are you tired of manually executing scripts and sending the result to email? If
YES, I’d suggest you try AdminDroid Office 365 reporting tool.
AdminDroid has a dedicated MFA dashboard and more detailed MFA reports. You can
schedule them and send the report to the preferred email addresses. Also, you
can apply the filter on any columns to see only the required information. MFA
reports includes,
1. MFA Activated Users – Lists all users who have activated MFA on their
accounts.
2. Users with MFA – Lists all users who have MFA enabled on their accounts
3. Users without MFA – Lists all users who do not have MFA enabled on their
accounts.
4. MFA Enabled Users – Lists all users who have MFA enabled on their accounts
5. MFA Enforced Users – Lists all users who have MFA enforced on their
accounts.
6. MFA Non-Activated Users – Lists users who have MFA enabled but have not yet
activated.
7. MFA Device Details – Lists device details that users have used to
authenticate with MFA.
8. MFA User Details – Provides information about individual users’ MFA
settings.
9. Conditional Access Policies with MFA – Lists the MFA configured CA
policies.
10. MFA Enabled CA Policies: condition details – Provides an overview of
conditions that are associated with MFA-enabled CA policies.
11. MFA Included/Excluded Users based on CA Policies – Provides detailed
information on MFA included and excluded users based on CA policies.
Besides, AdminDroid Offers over 120+ free reports and a handful of dashboards.
It includes reports on Users, Licenses, Groups, Group Members, Devices, Login
Activities, Password Changes, License Changes, and more. You can do
customization, scheduling, and exporting. You can download Free Azure AD
reporter and see how it helps you.
Additionally, AdminDroid provides 1800+ pre-built reports and 30+ dashboards on
various Office 365 services like Azure AD, Exchange Online, SharePoint Online,
Microsoft Teams, etc. For your Office 365 reporting and auditing needs, you can
try Microsoft 365 reporting tool by AdminDroid and see how it helps for you.
We hope this post was helpful. If you modify the script and use it for other use
cases, then please leave your idea in the comment section and help more admins.
MFA disabled users reportMFA enabled users reportMFA enforced users reportMFA
StatusOffice 365 Admins without MFA reportOffice 365 MFA ReportOffice 365 MFA
Status
Share article
CONNECT TO EXCHANGE ONLINE POWERSHELL USING MFA (MULTI FACTOR AUTHENTICATION)
EXPORT OFFICE 365 DISTRIBUTION GROUP MEMBERS USING POWERSHELL
You may also like these blogs:
* Use Cross-Tenant Synchronization in Azure AD to…
* Office 365 Auditing Report Tool
* Get MFA Status of Office 365 Users Using Microsoft…
* Entra Exporter Tool - Effortlessly Backup Microsoft…
* Get Azure AD Devices Report Using PowerShell
* Export Office 365 Users’ Last Logon Time to CSV
Table of Contents
* What is MFA?
* MFA in Office 365
* How to Check if MFA is Enabled in Office 365 using PowerShell?
* Download Script: GetMFAStatus.ps1
* Script Highlights:
* Export MFA Status Report – Sample Output:
* How to Get MFA Status Report Using PowerShell?
* How can I filter Office 365 MFA Report?
* Get a Report on Users’ MFA Enabled Status:
* Export Office 365 Users’ MFA Enforced Status Report to CSV:
* List Office 365 Users Without MFA:
* Export Office 365 Admins Without MFA:
* Export Licensed Users’ MFA Status Report
* Export Users’ MFA Status Based on Sign-In Status
* How can I Schedule MFA Status Report?
* Get More Detailed Office 365 MFA Reports:
Share article
AdminDroid
One tool solution for complete Microsoft 365 Management
Get report on anything in Microsoft 365
Learn More
Be the first to know!
Receive timely M365 updates, tips, and news directly in your inbox.
Subscribe
Office 365 Reports
Categories
Home
Office 365 Reports
PowerShell Scripts
Tools
News
Security
Exchange Online
Office 365
SharePoint Online
All Posts
Quick Links
Newsletter
Connect
facebook
twitter
instagram
linkedin
reddit