This post helps you find registered and unregistered users to Azure MFA using PowerShell and the web interface.

Finding Azure MFA registered Users using Web Interface

Azure Active Directory has multiple reports which can help find the information related to registered users. The method enrolled SSRP Capable and other information.

To access this report, open Azure Portal in the search, type Authentication methods, and select the Azure AD Authentication method. In the Authentication, Method sidebar, click on User Registration Details

This way shows a ready and easy-to-use report about the user’s registration method and the user’s default MFA method, which can be a Mobile Phone, or Microsoft Authenticator app, or whatever is available.

Finding Azure MFA registered Users using Graph API PowerShell.

First, you need to connect to the Microsoft Graph endpoint. The permission required to get the MFA registration information is AuditLog.Read.All. You can use Delegate authentication or application authentication.

Learn more about Delegate and Application authentication by reading Connect to Office 365 Using Graph API and PowerShell. Also if you are new to Graph API, take a look on a tour and learn the basics of Graph API by reading Connect and Understanding Microsoft Graph API

For this tutorial, I will use delegate authentication. So start by connecting to Graph API

Connect-MgGraph -ForceRefresh -Scopes @('AuditLog.Read.All')

Type the username and password and consent to the requested permissions.

Until the date of writing this update, the endpoint is in Beta.

$AllUsers=Invoke-GraphRequest -Uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails'
$AllUsers['Value']

All the users will appear in the output, each with the following property.

Name                           Value
----                           -----
id                             810c-810c-810c-810c-767fc1ce404a
isMfaCapable                   True
userType                       member
isSsprRegistered               True
isSsprEnabled                  True
userPrincipalName              testUser@powershellcenter.com
isPasswordlessCapable          False
defaultMfaMethod               mobilePhone
userDisplayName                The Test Account
methodsRegistered              {mobilePhone}
isSsprCapable                  True
isMfaRegistered                True
isAdmin                        False

To find a single-user result, use the following line

$AllUsers['Value'] | where {$_.userPrincipalName -like "testUser@powershellcenter.com"}

To find all the registered methods for a single user you can call the methodsRegistered property

PS C:\Users> ($AllUsers['Value'] | where {$_.userPrincipalName -like "testUser@powershellcenter.com"}).methodsRegistered
mobilePhone
microsoftAuthenticatorPush
softwareOneTimePasscode
microsoftAuthenticatorPasswordless
fido2SecurityKey
windowsHelloForBusiness

Read more about userRegistrationDetails endpoint at Microsoft.com

Finding Azure MFA registered Users using PowerShell (Conditional Access)

Start by opening PowerShell, and connect to Office 365 services using the following cmdlet

Connect-MsolService

If you don’t have the MSOL module, you can download it from PSGallery or by running the following cmdlet Install-Module -Name MSOnline

After you log in, you can get the registration information of a user using the following cmdlet.

(Get-MsolUser -UserPrincipalName Test@testdomain.com).StrongAuthenticationMethods

ExtensionData                                    IsDefault MethodType
-------------                                    --------- ----------
System.Runtime.Serialization.ExtensionDataObject     False OneWaySMS
System.Runtime.Serialization.ExtensionDataObject     False TwoWayVoiceMobile
System.Runtime.Serialization.ExtensionDataObject     False PhoneAppOTP
System.Runtime.Serialization.ExtensionDataObject      True PhoneAppNotification

Some online scripts used the StrongAuthenticationRequirements, which might not reflect the correct result if you are using Conditional Access instead of Per-User MFA.

In Conditional Access, we need to confirm and ensure that the users are registered to Azure MFA, and the Conditional Access rules are applied based on how the policies are built.

To get a list of registered users, use the following code

Connect-MsolService 
$Results=@()
$users=Get-MsolUser -all
foreach ($singleuser in $users){
$Reg=($singleuser.StrongAuthenticationMethods | Where-Object { $_.IsDefault -eq "True" }).MethodType
if (!($reg)){$Reg="Disabled"}

$Output=[PSCustomObject]@{
UserName=$singleuser.UserPrincipalName
RegMethod=$reg
}
$Results+=$Output
}
$Results

The output of the script looks like this.

UserName                                        RegMethod           
--------                                        ---------           
User1@testdomain.com                           PhoneAppNotification
User2@testdomain.com                           OneWaySMS           
User3@testdomain.com                           Disabled            

Finding Azure MFA registered Users using PowerShell (Per-User MFA)

If you want to get a list of registered users and enabled users on the Per-User MFA, use the following script.

Connect-MsolService 
$Results=@()
$users=Get-MsolUser -all
foreach ($singleuser in $users){
$Reg=$singleuser.StrongAuthenticationRequirements.State
if (!($reg)){$Reg="Disabled"}

$Output=[PSCustomObject]@{
UserName=$singleuser.UserPrincipalName
RegMethod=$reg
}
$Results+=$Output
}
$Results

The result looks like this

UserName                                             RegMethod
--------                                             ---------
Test1@testdomain.com                                 Disabled 
Test2@testdomain.com                                 Enabled

Read More.

• Password Writeback in Azure AD Connect
• Change AD Connect Sync Account Password.
• Test Folder Sharing Permission.
• Powershell FIX: WARNING: Unable to resolve package source ‘https://www.powershellgallery.com/api/v2
• Active Directory ACL Reporter – PowerShell