We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Check multi-factor authentication status for a user in Microsoft 365

May 28, 2021 Views: 17731

The script can be used to obtain the status of multi-factor authentication for a user in Microsoft 365 (Office 365). To execute the script, use the Run a program or PowerShell script action in a custom command, business rule or scheduled task. To connect to Microsoft 365, the script uses the credentials specified in the Run As section of the action settings.

For the script to work, you need to install Microsoft Azure Active Directory Module on each computer where Adaxes service is running.

Edit Remove
# Get Microsoft 365 Object ID
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
    $Context.LogMessage("The user %fullname% doesn't have a Microsoft 365 account.", "Warning")

# Connect to Azure AD
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential

# Output MFA status
$user = Get-MsolUser -ObjectId $objectId

if ($user.StrongAuthenticationRequirements.State -ne $NULL)
    $Context.LogMessage("Multi-factor authentication is enabled for user %fullname%.", "Information")
    $Context.LogMessage("Multi-factor authentication is disabled for user %fullname%.", "Information")
Comments 10
Patrick Faust Feb 04, 2021
The result is not reported when run for multiple users.
I like to get an overview of missed mfa activations for a complete OU.
Looks like I can only run this one by one.

Any chance to let it run for multiple users and get simple overview which ones need to be activated?
Support Feb 05, 2021
Hello Patrick,

This particular script can only be executed on a single user. If you need information for multiple users, we can provide you with another script that will be used to generate a report. For us to provide you with a solution, please, specify the version of Adaxes you are currently using. For information on how to check that, seehttps://www.adaxes.com/help/?HowDoI.ManageService.CheckAdaxesServiceVersion.html.

Any additional details and live examples of the desired behavior will be much appreciated.
Olson Feb 08, 2021
any update on this? Also looking for a report that shows this info
Support Feb 08, 2021
Hello Olson,

As it was mentioned above, we do not have such a script in our repository and to provide it we need to know the Adaxes version and what exactly should be included into the report. Once we have the information, we will be able to provide the script.
olson Feb 08, 2021
version: 3.13.18625 (latest)
report: username: status(disabled/enabled/enforced)
report runs on OU

would be great!
Support Feb 08, 2021
Hello Olson,

Thank you for the provided details. Please, have a look at the following script from our repository: https://www.adaxes.com/script-repository/status-of-users-mfa-in-microsoft-365-s601.htm.
Olson Feb 09, 2021
yes, i have this working already but this is for a single user....
Support Feb 09, 2021
Hello Olson,

The script is intended to generate a report of users and their MFA statuses in Microsoft 365. It cannot be executed for a single user. The scope should be an OU or container.
Alan Jul 21, 2021
Has this been tested? I just get a string of errors when I try it:

You cannot call a method on a null-valued expression.
At C:\temp\user-mfa.ps1:8 char:5
+ $Context.LogMessage("The user %fullname% doesn't have a Microsoft ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

ConvertTo-SecureString : Cannot bind argument to parameter 'String' because it is null.
At C:\temp\user-mfa.ps1:13 char:64
+ ... rtTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertToSe
Support Jul 21, 2021
Hello Alan,

Yes, the script was tested and works fine. It can only be used in Adaxes (e.g. in a business rule or custom command). The script cannot be executed in Windows PowerShell as it uses built-in Adaxes variable $Context.
Leave a comment

Got questions?

Support Questions & Answers