{"id":8690,"date":"2025-04-01T03:11:03","date_gmt":"2025-04-01T03:11:03","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=8690"},"modified":"2025-04-07T23:36:14","modified_gmt":"2025-04-07T23:36:14","slug":"how-to-get-mfa-status-for-users-in-entra","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/how-to-get-mfa-status-for-users-in-entra","title":{"rendered":"How to get MFA status for Users in Entra"},"content":{"rendered":"\n
# Check if required Microsoft.Graph modules are installed\n$requiredModules = @(\n    \"Microsoft.Graph.Authentication\",\n    \"Microsoft.Graph.Users\"\n)\n\nforeach ($module in $requiredModules) {\n    if (!(Get-Module -ListAvailable -Name $module)) {\n        Write-Host \"$module module not found. Installing...\"\n        Install-Module $module -Force -AllowClobber -Scope CurrentUser\n    } else {\n        Write-Host \"$module module is already installed.\"\n    }\n}\n\n# Import only the required modules\nImport-Module Microsoft.Graph.Authentication\nImport-Module Microsoft.Graph.Users\n\n# Connect to Microsoft Graph with required permissions\ntry {\n    Connect-MgGraph -Scopes @(\n        \"User.Read.All\",\n        \"UserAuthenticationMethod.Read.All\",\n        \"Directory.Read.All\",\n        \"User.ReadBasic.All\",\n        \"Policy.Read.All\"\n    ) -UseDeviceAuthentication:$false\n} catch {\n    Write-Error \"Failed to connect to Microsoft Graph: $($_.Exception.Message)\"\n    exit 1\n}\n\n# Get all enabled users with @domain.onmicrosoft.com domain\ntry {\n    Write-Host \"Fetching users...\"\n    $users = Get-MgUser -All -Property UserPrincipalName,Id,AccountEnabled -ErrorAction Stop | \n             Where-Object { $_.AccountEnabled -eq $true -and $_.UserPrincipalName -like \"*@domain.onmicrosoft.com\" }\n    \n    if ($null -eq $users -or $users.Count -eq 0) {\n        Write-Warning \"No enabled users found with @domain.onmicrosoft.com domain\"\n        Disconnect-MgGraph\n        exit 0\n    }\n    \n    Write-Host \"Found $($users.Count) enabled users\"\n} catch {\n    Write-Error \"Failed to get users: $($_.Exception.Message)\"\n    Write-Error \"Please ensure you have the correct permissions: User.Read.All, UserAuthenticationMethod.Read.All, Directory.Read.All, User.ReadBasic.All, Policy.Read.All\"\n    Disconnect-MgGraph\n    exit 1\n}\n\n$results = @()\n\nforeach ($user in $users) {\n    try {\n        Write-Host \"Checking MFA status for $($user.UserPrincipalName)...\"\n        \n        # Try using the beta endpoint for authentication methods\n        $authMethods = Invoke-MgGraphRequest -Method GET -Uri \"https:\/\/graph.microsoft.com\/beta\/users\/$($user.Id)\/authentication\/methods\" -ErrorAction Stop\n        \n        # Check if MFA methods are registered (exclude password-only methods)\n        $mfaRegistered = $authMethods.value | Where-Object { $_.'@odata.type' -ne \"#microsoft.graph.passwordAuthenticationMethod\" }\n        \n        # Determine MFA status\n        $mfaStatus = if ($mfaRegistered) { \"Enabled\" } else { \"Disabled\" }\n\n        # Add user details to results\n        $results += [PSCustomObject]@{\n            UserPrincipalName = $user.UserPrincipalName\n            MFAStatus         = $mfaStatus\n            RegisteredMethods = ($mfaRegistered | ForEach-Object { $_.'@odata.type' -replace \"#microsoft.graph.\", \"\" }) -join \", \"\n        }\n    } catch {\n        Write-Warning \"Failed to get MFA data for $($user.UserPrincipalName): $($_.Exception.Message)\"\n        \n        # Try another approach using conditional access policies\n        try {\n            Write-Host \"Trying conditional access approach for $($user.UserPrincipalName)...\"\n            \n            # Check if user is subject to MFA policies\n            $userPolicies = Invoke-MgGraphRequest -Method GET -Uri \"https:\/\/graph.microsoft.com\/beta\/users\/$($user.Id)\/authentication\/conditionalAccessPolicies\" -ErrorAction Stop\n            \n            # If user has conditional access policies, assume MFA is required\n            $hasMfaPolicy = $userPolicies.value.Count -gt 0\n            \n            # Add user details to results with conditional access approach\n            $results += [PSCustomObject]@{\n                UserPrincipalName = $user.UserPrincipalName\n                MFAStatus         = if ($hasMfaPolicy) { \"Enabled (Policy)\" } else { \"Unknown\" }\n                RegisteredMethods = \"Conditional Access Check\"\n            }\n        } catch {\n            Write-Warning \"Conditional access approach also failed for $($user.UserPrincipalName): $($_.Exception.Message)\"\n            \n            # Add user with unknown status\n            $results += [PSCustomObject]@{\n                UserPrincipalName = $user.UserPrincipalName\n                MFAStatus         = \"Unknown\"\n                RegisteredMethods = \"Check Failed\"\n            }\n        }\n    }\n}\n\n# Display results\nif ($results.Count -gt 0) {\n    $results | Format-Table -AutoSize\n} else {\n    Write-Host \"No MFA data was collected for any users.\"\n}\n\n# Disconnect from Microsoft Graph\nDisconnect-MgGraph<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8690","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t