Export Office 365 Users MFA Status to CSV using PowerShell

Using this PowerShell script you can export Office 365 users' MFA status along with many useful attributes like Display Name, User Principal Name, MFA Status, Activation Status, Default MFA Method, All MFA Methods, MFA Phone, MFA Email, License Status, Admin Roles, SignIn Status.

4.7 Star
25,598 times
Add to favorites
Office 365
E-mail Twitter del.icio.us Digg Facebook
  • Enforced by conditional access does not necessarily reflect actual MFA status
    1 Posts | Last post March 14, 2020
    • Hi
      If I understand the script correctly, the MFA status "Enabled by Conditional Access" only checks for registered MFA methods when the status is disabled. When there are methods registered it assumes Conditional Access is applied.
      However, this is not necessarily the case.  I think it should include this information in the description. 
  • Used the enabledonly and disabledonly switches as
    2 Posts | Last post March 05, 2020
    • Used the enabledonly and disabledonly switches as the enabled only or even no switch only gives me the users with ISADMIN.  I needed billing admin which wasn't showing no matter what i did.  I had to remove the $isadmin=true and @isadmin=false in the script to get them to show.  Not sure if that is not considered an admin or what, but these users didn't show up in any report (admin or not) until i did that.
    • Hi Tanya,
      By default, the script returns both Admin and regular users. When you use -AdminOnly switch, you will get Admin users alone in the result. This script works fine in our end. 
      1. Admin roles are derived from 'Get-MsolUserRole'. Please check the role for that specific user. Get-MSolUserRole -UserPricipalName <UPN>
      2. Used the enabledonly and disabledonly switches - The user might in the 'Enforced' status. That maybe the reason for not listing that user.
      Please check and update the above cases to understand your scenario better.
  • DisabledOnly not showing enabled
    2 Posts | Last post February 08, 2020
    • When I run this script with this parameter ./GetMFAStatus.ps1 -DisabledOnly it returns a report showing all the users are disabled, I know for a fact that most are either enabled or enforced. I downloaded the latest version, since I have had this happen before and that fixed it.
    • I will answer my own question, I changed to a higher elevated user logon and it worked correctly.
  • Password Parameter
    2 Posts | Last post January 08, 2020
    • Is the below parameter not storing it in local memory? Basically the MsolService is authenticating your password via the login pop-up?
      $SecuredPassword = ConvertTo-SecureString -AsPlainText $Password -Force
    • Yes, MsolService authentication can be done using a login pop-up. Since the script supports scheduling feature, you no need to enter credentials at the time of scheduled execution. You can pass the credential as a parameter. In that case, the password is stored as a secure string (encrypted format) in the local memory during script execution.
      If you didn't pass the credential during script execution, that code block would not be executed. As usual, you will be prompted to enter the credential in the login pop-up.
  • MFA export on Multiple domain
    4 Posts | Last post October 29, 2019
    • we have multiple domains and i would like to export on a single domain, is it possible?
    • Hi,
      Did you mean multiple alias in a single domain?
    • Hi Kathy, 
      we do have multiple Alias but also we have multiple domains in our 365 tenant. we have 4 different domains and users have accounts on all when I export i get the email addresses from all 4 domain
    • Hi Shaff_Khans,
      Currently, the script supports a single domain at a time. If you want to get a report from 4 domains, run the script with each domain credential separately.
  • Help with disable report
    2 Posts | Last post October 17, 2019
    • Can you assist with what exactly needs changed to run the report to find and display disabled users? I've made a few changes but reports still only pulls Enforced/Enabled users. thanks!!
    • Hi,
      You don't need to edit anything in the script. The script has many inbuilt filters. To get a list of MFA disabled users, run the script with -DisabledOnly switch.
          ./GetMFAStatus.ps1 -DisabledOnly
      For more advanced filtering options, please refer: https://o365reports.com/2019/05/09/export-office-365-users-mfa-status-csv
  • Script stuck/hanfgs after checking 10862 records.
    2 Posts | Last post October 09, 2019
    • Hi, I tried to use this script. It takes a lot of time but gives required info. However, it also hangs after processing large number of users. 
      Mostly it get stuck after processing 10862 accounts. 
    • Hi,
      Sorry for the inconvenience.Are you getting any exception during script execution?
  • How to schedule the script if MFA enabled on my account?
    2 Posts | Last post October 09, 2019
    • How to schedule the script if MFA enabled on my account?
    • You can schedule this script with MFA, but you need to enter credential and verification code at the time of script execution. 
      For more info refer: https://o365reports.com/2019/08/02/schedule-powershell-script-task-scheduler/
  • When running the script with switch -DisabledOnly.
    1 Posts | Last post October 04, 2019
    • I tried running the script as is and generate the mfa enabled users. 
      However, when I try running the same using -DisabledOnly switch. it takes much more time and get stuck at some point. Kindly help explain what can be done to solve such situation. 
  • users included in conditional access policy
    1 Posts | Last post October 02, 2019
    • I have created a directive that when a series of users belonging to that directive try to connect from outside my organization, it asks for the double factor.
      When executing the script these users do not appear in the list.
      Why is this behavior?
1 - 10 of 21 Items