Export Office 365 Users MFA Status to CSV using PowerShell

Using this PowerShell script you can export Office 365 users' MFA status along with many useful attributes like Display Name, User Principal Name, MFA Status, Activation Status, Default MFA Method, All MFA Methods, MFA Phone, MFA Email, License Status, IsAdmin, SignIn Status.

756 times
Add to favorites
Office 365
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question

  • Enabled and Disabled in one list
    2 Posts | Last post July 24, 2019
    • Hi,
      is it possible to get the enabled and disabled users in one CSV list? been trying to get them in one list but i am not successfull atm.
    • Hi,
      Currently, this script shows the user's attributes based on its MFA status. E.g., MFA enabled user report will show MFA method, Default MFA method, MFA phone, MFA email, etc. whereas MFA disabled report will show Department, IsAdmin, SignIn Status, etc. Hence showing both enabled and disabled users in a single CSV file is not possible.
  • Question about Output
    3 Posts | Last post July 18, 2019
    • This is exactly what I'm looking for -- THANK YOU!
      I do have one question: I ran the report and I have a hand full of users that have an Activation Status = Yes and MFAStatus = <blank>.  All of those users have MFA disabled.
      As expected, it did not report all users in the tenant but I was surprised to see the disabled users without using the DisabledOnly switch.
      Thanks for taking the time to write this!
    • Hi Dubya,
      Users with "Activation status= Yes and MFA status=<blank>" are not MFA disabled users. Those are MFA enabled through Conditional Access. Most of the scripts, only consider state(i.e., MFA status) to determine users' MFA status. Our script considers both Activation Status and MFA status to determine users' MFA status.
      In simple words, if MFA enabled through Conditional  Access, MFA state is not set but it actually MFA enabled. Due to MFA state not set, it is shown as blank. 
      Thanks for pointing out, we will update the script to show as Enabled instead of a blank. 
    • Hi Dubya,
      We have updated the script. Now the script will show MFA status as "Enabled via Conditional Access" if the user's MFA enabled through Conditional Access.
  • One Suggestion - Omit Shared Mailboxes
    2 Posts | Last post July 17, 2019
    • I noticed that the output includes shared mailboxes.  It would be great to have a switch to not include those if possible since MFA does not apply "most of the time" anyway.  I realize that if a shared mailbox requires additional subscriptions, sign-in may be possible.  I typically block sign-in for those situations.
    • Hi Dubya,
      Thanks for the suggestion. To include mailbox type filter, we need to use the additional cmdlet, which may increase the script execution time. That's why we ignored the mailbox type filter.
      If more people expect mailbox type filter, surely we will add it to the script.
      As you said, you can filter out shared mailbox by using -SignInAllowed $False filter(If shared mailbox SignIn blocked in your tenant). 
  • To get Activation Status=not enable
    2 Posts | Last post July 16, 2019
    • Hello,
      Ive run the script, but the report "MFA disabled" doesnt work for my purpose. I would need to check out the "activation status=not enabled" from all users. Since i am using Conditional Access with Azure AD groups and not have pushed MFA activation from the Azure MFA itself. Running "-DisabledOnly" switch will show MFA status disabled for all of our users (still). So in my report, i would need to have change script to report only activation status, not the MFA status itself.   
    • Hi Mikko,
      We have updated the script to list MFA disabled users by considering Conditional Access. You can download the new version now.
  • Export Issue
    2 Posts | Last post July 16, 2019
    • The PowerShell process 261 users but only 112 users are exported to Excel
    • Hi Manesh,
      By default, this script will return MFA Enabled and enforced users alone. I believe your tenant has 112 MFA enabled and enforced users among 261. So after processing 261 users, the script exported 112 users.
      If you want to get, MFA disabled users list run the script with -DisabledOnly param.
      If this is not a case, let us know. 
  • Great script
    2 Posts | Last post May 14, 2019
    • What is the time range that the report queries?
    • Hi lamorris_Price,
      It will take time depends on the number of users in your environment. If you are generating a report for MFA disabled users, it will get complete soon than enabled/enforced MFA status. Can you share the time taken and the number of users(Enabled & disabled) available in your tenant?