Script Repository


Status of users MFA in Microsoft 365

June 07, 2021
867

The script can be used to generate a report that will include user accounts and the status of their MFA in Microsoft 365. For the script to work, you need to install Microsoft Azure Active Directory Module on each computer where Adaxes service is running. To connect to Microsoft 365, the script uses the credentials specified in the Run As section (located on the Script tab).

To generate the report:

  • A scope is required. If report scope is left empty, the script will not work.
  • The Organizational Unit or container selected in the scope for the report generation must be included into the associated scope of a Microsoft 365 tenant registered in Adaxes.

Parameters:

  • $columnID - Specifies the identifier of the custom column that will store states of users MFA in Microsoft 365. To get the identifier:
    1. In the Report-specific columns section, on the Columns tab, right-click the custom column.
    2. In the context menu, navigate to Copy and click Column ID.
    3. The column identifier will be copied to clipboard.
Edit Remove
PowerShell
Import-Module MsOnline
$columnID = "{406bec83-0e40-4291-88a2-208da5df346b}"

# Get member identifiers
$Context.DirectorySearcher.AppendFilter("(sAMAccountType=805306368)")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("adm-O365ObjectId")

try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    
    $baseObject = $Context.BindToObject($Context.DirectorySearcher.BaseObjectPath)
    
    # Connect to Microsoft 365
    $password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
    $credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
    Connect-MsolService -Credential $credential
    
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        
        $id = $searchResult.GetPropertyByName("adm-O365ObjectId").Values[0]
        if ($NULL -eq $id)
        {
            continue
        }
        
        # Get MFA state
        $user = Get-MsolUser -ObjectId ([Guid]$id)
        if ($NULL -eq $user.StrongAuthenticationRequirements.State)
        {
            $mfaState = "Disabled"
        }
        else
        {
            $mfaState = $user.StrongAuthenticationRequirements.State
        }
        
        # Add user to the report
        $Context.Items.Add($searchResult, @{ $columnID = $mfaState }, $NULL)
    }
}
finally
{
    # Release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}

Comments ( 3 )
avatar
Michael Kennedy
Jul 22, 2021
Changing "StrongAuthenticationRequirements.State" to "StrongAuthenticationMethods.MethodType" in both locations will show the method used for MFA (ex "OneWaySMS", "PhoneAppOTP", "PhoneAppNotification", etc). This could be more useful depending on your use case.

Thank you for the script, Adaxes.
avatar
Travis Brower
Feb 15, 2022
How can I use this to create a dynamic security group?
avatar
Support
Feb 15, 2022
Hello Travis,

Sorry for the confusion, but we are not sure what exactly you need to achieve. Please, describe the desired workflow in all the possible details with live examples.
Leave a comment

Related Scripts