SOLVED: How To List Users Who Do Not Have MFA in Azure & M365

We’ve recently had a client who was breached because a long-term brute force spray password attack eventually correctly guessed and administrators password. This breach should have been avoided by the company ensuring that all of its users were using multi factor authentication.

By default new accounts are required to have multi factor authentication but you can turn that off or on:

https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsSettings

How To Disable MFA For Specific Users

There are however situations in which you need to disable multi factor authentication for specific users. for instance service accounts that are used on many devices like photocopiers cannot use two factor authentication.

If you want to disable two factor authentication for Microsoft 365 and azure surf to this URL, select the user in question, and set them to disabled.

https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365#

How To Export a List of Users That Are Not Using MFA?

This PowerShell script will export the key fields and tell you if MFA is setup for each user:

# Import the required module
Import-Module MSOnline

# Get your tenant credentials
$credential = Get-Credential

# Connect to your tenant
Connect-MsolService -Credential $credential

# Get all users
$users = Get-MsolUser -All

# Select required properties and add new ones for Account Status, MFA Status, UPN
$userProperties = $users | Select-Object @{
    Name = "Account Status"
    Expression = {
        if ($_.BlockCredential) {
            "Disabled"
        } else {
            "Enabled"
        }
    }
}, @{
    Name = "MFA Status"
    Expression = {
        if ($_.StrongAuthenticationMethods.Count -eq 0) {
            "Disabled"
        } else {
            "Enabled"
        }
    }
}, DisplayName, FirstName, LastName, UserPrincipalName

# Sort users by DisplayName
$sortedUsers = $userProperties | Sort-Object DisplayName

# Export users to a CSV file
$sortedUsers | Export-Csv -Path "C:\temp\MfaDisabledUsers.csv" -NoTypeInformation

This script does the following:

1. Connects you to the M365 / Azure Tenent
2. Retrieves all users.
3. Selects the required properties and adds new ones for Account Status, MFA Status, and UPN.
4. Sorts the users by DisplayName.
5. Exports the sorted users to a CSV file at the specified path. The -NoTypeInformation parameter is used to prevent the output of type information to the CSV file. This makes the CSV output cleaner and easier to read.

At this point you can open the CSV file using Excel and then filter the MFA status and the account enabled status so you are only dealing with the accounts that are active but do not have multi factor authentication.

Note that you can see if an individual user is setup for MFA by surfing to Azure ENTRA ID > USERS > select a USER > AUTHENTICATION METHODS

https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsSettings