Skip to Content
Microsoft 365Entra IDMFA Enforcement Report

MFA Enforcement Report

Checks all users in the tenant and reports whether they have an MFA-capable authentication method registered.

Requirements

Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module Microsoft.Graph.Users -Scope CurrentUser
Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser

Requires PowerShell 7.0+.

Usage

# Default output to script directory
.\mfa-enforcement-report.ps1
 
# Custom output path
.\mfa-enforcement-report.ps1 -OutputPath "C:\Reports\mfa-report.csv"

Script

#requires -Version 7.0
 
[CmdletBinding()]
param(
    [string]$TenantId,
    [string]$OutputPath = (Join-Path $PSScriptRoot 'mfa-enforcement-report.csv')
)
 
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
 
function Ensure-Module {
    param([Parameter(Mandatory=$true)][string]$Name)
    if (-not (Get-Module -ListAvailable -Name $Name)) {
        Write-Error "Required module '$Name' not found. Install with: Install-Module $Name -Scope CurrentUser"
        exit 1
    }
    Import-Module $Name -ErrorAction Stop | Out-Null
}
 
Ensure-Module -Name Microsoft.Graph.Authentication
Ensure-Module -Name Microsoft.Graph.Users
Ensure-Module -Name Microsoft.Graph.Identity.SignIns
 
$scopes = @(
    'User.Read.All',
    'UserAuthenticationMethod.Read.All'
)
 
Connect-MgGraph -Scopes $scopes | Out-Null
if ($TenantId) { Select-MgProfile -Name 'v1.0' | Out-Null }
 
$users = Get-MgUser -All -Property 'id,displayName,userPrincipalName,accountEnabled'
 
$results = foreach ($user in $users) {
    $methods = @()
    try {
        $methods = Get-MgUserAuthenticationMethod -UserId $user.Id
    } catch {
        $methods = @()
    }
    $hasMfaMethod = $false
    foreach ($m in $methods) {
        $odataType = $m.AdditionalProperties['@odata.type']
        if ($odataType -match 'microsoftAuthenticator|softwareOath|phone|fido2|windowsHelloForBusiness') {
            $hasMfaMethod = $true
            break
        }
    }
    [pscustomobject]@{
        DisplayName        = $user.DisplayName
        UserPrincipalName  = $user.UserPrincipalName
        AccountEnabled     = $user.AccountEnabled
        HasMfaMethod       = $hasMfaMethod
        AuthMethodCount    = ($methods | Measure-Object).Count
    }
}
 
$results | Sort-Object UserPrincipalName | Export-Csv -NoTypeInformation -Path $OutputPath
Write-Host "Saved $($results.Count) rows to $OutputPath" -ForegroundColor Green

Output

Exports a CSV with the following columns:

  • DisplayName
  • UserPrincipalName
  • AccountEnabled
  • HasMfaMethod — Whether the user has a registered MFA method (Authenticator, FIDO2, Phone, etc.)
  • AuthMethodCount — Total number of registered authentication methods

Graph Permissions

  • User.Read.All
  • UserAuthenticationMethod.Read.All
Last updated on
Permission AuditRisky Sign-Ins Report