Motivation: Making the Systems Engineers life easier.

Export M365 User List with MFA Status

M365 (Office 365)

Export M365 User List with MFA Status

We need to know the current status of the MFA for all the users in our organizations. Currently there is no way to export the report the MFA status report from M365 GUI. You can export the report using Windows PowerShell by running a script Use the below process in order to do so.

Open Windows PowerShell as an elevated.

Connect M365 Online using the following commands.

Enter your credentials in the step number 2.

Download the script (Get-MFAReport.ps1). Create a Folder in C: named Scripts directory and copy to that folder. Once copied, in Windows PowerShell point to the scripts folder.

If you run the MFA script without running the Execution Policy command you may get the below errors.

Run the below command to avoid Scripts and Execution Policy error.

Set-ExecutionPolicy Unrestricted

Then run the script “.\Get-MFAReport.ps1” and you can view the MFA status for the users.

This report will also be exported in “C:\Temp\MFAUsers.csv”, its because that is the location I mentioned in my script.

Below is the Script, you can copy the entire content in Notepad and save it as .ps1.

Write-Host "Finding Azure Active Directory Accounts..."
$Users = Get-MsolUser -All | ? { $_.UserType -ne "Guest" }
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
Write-Host "Processing" $Users.Count "accounts..." 
ForEach ($User in $Users) {
$MFAEnforced = $User.StrongAuthenticationRequirements.State
$MFAPhone = $User.StrongAuthenticationUserDetails.PhoneNumber
$DefaultMFAMethod = ($User.StrongAuthenticationMethods | ? { $_.IsDefault -eq "True" }).MethodType
If (($MFAEnforced -eq "Enforced") -or ($MFAEnforced -eq "Enabled")) {
Switch ($DefaultMFAMethod) {
"OneWaySMS" { $MethodUsed = "One-way SMS" }
"TwoWayVoiceMobile" { $MethodUsed = "Phone call verification" }
"PhoneAppOTP" { $MethodUsed = "Hardware token or authenticator app" }
"PhoneAppNotification" { $MethodUsed = "Authenticator app" }
Else {
$MFAEnforced = "Not Enabled"
$MethodUsed = "MFA Not Used" 

$ReportLine = [PSCustomObject] @{
User = $User.UserPrincipalName
Name = $User.DisplayName
MFAUsed = $MFAEnforced
MFAMethod = $MethodUsed 
PhoneNumber = $MFAPhone


Write-Host "Report is in c:\scripts\MFAUsers.CSV"
$Report | Select User, Name, MFAUsed, MFAMethod, PhoneNumber | Sort Name | Out-GridView
$Report | Sort Name | Export-CSV -NoTypeInformation -Encoding UTF8 c:\temp\MFAUsers.csv

Leave your thought here

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.