Script Repository


Check multi-factor authentication status for a user in Microsoft 365

May 28, 2021
12215

The script can be used to obtain the status of multi-factor authentication for a user in Microsoft 365 (Office 365). To execute the script, use the Run a program or PowerShell script action in a custom command, business rule or scheduled task. To connect to Microsoft 365, the script uses the credentials specified in the Run As section of the action settings.

For the script to work, you need to install Microsoft Azure Active Directory Module on each computer where Adaxes service is running.

Edit Remove
PowerShell
# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    $Context.LogMessage("The user %fullname% doesn't have a Microsoft 365 account.", "Warning")
    return
}

# Connect to Azure AD
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential

# Output MFA status
$user = Get-MsolUser -ObjectId $objectId

if ($user.StrongAuthenticationRequirements.State -ne $NULL)
{
    $Context.LogMessage("Multi-factor authentication is enabled for user %fullname%.", "Information")
}
else
{
    $Context.LogMessage("Multi-factor authentication is disabled for user %fullname%.", "Information")
}

Comments ( 10 )
avatar
Patrick Faust
Feb 04, 2021
The result is not reported when run for multiple users.
I like to get an overview of missed mfa activations for a complete OU.
Looks like I can only run this one by one.

Any chance to let it run for multiple users and get simple overview which ones need to be activated?
avatar
Support
Feb 05, 2021
Hello Patrick,

This particular script can only be executed on a single user. If you need information for multiple users, we can provide you with another script that will be used to generate a report. For us to provide you with a solution, please, specify the version of Adaxes you are currently using. For information on how to check that, seehttps://www.adaxes.com/help/?HowDoI.ManageService.CheckAdaxesServiceVersion.html.

Any additional details and live examples of the desired behavior will be much appreciated.
avatar
Olson
Feb 08, 2021
any update on this? Also looking for a report that shows this info
avatar
Support
Feb 08, 2021
Hello Olson,

As it was mentioned above, we do not have such a script in our repository and to provide it we need to know the Adaxes version and what exactly should be included into the report. Once we have the information, we will be able to provide the script.
avatar
olson
Feb 08, 2021
ok
version: 3.13.18625 (latest)
report: username: status(disabled/enabled/enforced)
report runs on OU

would be great!
avatar
Support
Feb 08, 2021
Hello Olson,

Thank you for the provided details. Please, have a look at the following script from our repository: https://www.adaxes.com/script-repository/status-of-users-mfa-in-microsoft-365-s601.htm.
avatar
Olson
Feb 09, 2021
yes, i have this working already but this is for a single user....
avatar
Support
Feb 09, 2021
Hello Olson,

The script is intended to generate a report of users and their MFA statuses in Microsoft 365. It cannot be executed for a single user. The scope should be an OU or container.
avatar
Alan
Jul 21, 2021
Has this been tested? I just get a string of errors when I try it:


You cannot call a method on a null-valued expression.
At C:\temp\user-mfa.ps1:8 char:5
+ $Context.LogMessage("The user %fullname% doesn't have a Microsoft ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

ConvertTo-SecureString : Cannot bind argument to parameter 'String' because it is null.
At C:\temp\user-mfa.ps1:13 char:64
+ ... rtTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertToSe
cureStringCommand
avatar
Support
Jul 21, 2021
Hello Alan,

Yes, the script was tested and works fine. It can only be used in Adaxes (e.g. in a business rule or custom command). The script cannot be executed in Windows PowerShell as it uses built-in Adaxes variable $Context.
Leave a comment