![]() $MFAStatus="Enabled via Conditional Access"Īll it really does is get the current users ObjectID, get the ObjectID of all the roles and groups to which the user is assigned and then checks the conditional access policies which are configured for MFA to see if the user belongs to them, is not excluded from them, and the policy is enabled. ![]() (Compare-Object -ReferenceObject $_. -DifferenceObject $userMembership -IncludeEqual -ErrorAction Silentl圜ontinue).SideIndicator -contains "=" -and ` (Compare-Object -ReferenceObject $_. -DifferenceObject $userMembership -IncludeEqual -ErrorAction Silentl圜ontinue).SideIndicator -contains "=" -or ` $userMembership = ($aadUser | Get-AzureADUserMembership).ObjectId $aadUser = Get-AzureADUser -ObjectId $Upn $user = get-msoluser -UserPrincipalName = $user.StrongAuthenticationMethods | Select-Object MethodType, = $user.UserPrincipalNameĪuthEmail = $ĪuthPhoneNumber = $ It says that, for instance, I'm not enabled for MFA even though I'm enabled for the last 6 years. There is a built-in Azure report for this, but it is completely incorrect. If not, it will check the "StrongAuthenticationMethods.IsDefault" attribute and report on that.īut this is not always accurate, because if the "Phone" or "Alternate Phone" are configured in the Azure user object, it will still report it here even if the user is not member of a Conditional Access policy. It will check if MFA is enabled individually. However, if MFA is enabled via Conditional Access I can't seem to find an effective way to report on them.īelow Powershell snippet is the closest I can get. You get nice results: Enabled, Disabled, Enforced. It's easy to report on the individual MFA state. I mean, the individual MFA state as well as MFA enabled via Conditional Access. Is there any effective way to get a report of the actual MFA state of your users?
0 Comments
Leave a Reply. |