Checking MFA Enrollment status

Checking MFA Enrollment status using PowerShell

Hi everyone,

A quick write-up today, as I’m getting ready to upload the slidedecks from both the ReBuild Conference in Nantes as EvolveConf in Birmingham, where I had the chance to deliver my session on Conditional Access best practices. The slides will be online somewhere this weekend! After that, it’s all about getting ready for Ignite 2019! If anyone is attending and wants to meetup, drop me a message and we’ll arrange something!

So, on to the actual blogpost. When you roll out MFA in your organization, you might want to periodically check which users haven’t enrolled yet. This way, you can send them a gentle reminder that they need to provide their security information using the portal, so MFA can be applied without them losing access to their accounts.

Fortunately, we can always rely on PowerShell to get the job done. In my case, I use the MSOnline module, but you can propably achieve the same thing using the AzureAD module. If you have some code to do it that way, just leave a comment below and I’ll make sure to include it in this post.

With the MSOnline module, you can check all the authentication methods that are set for a user. Those are stored in the strongauthenticationmethods property for the user.

So, we can explore easily:

$mfadetails = (get-msoluser -userprincipalname


ExtensionData                                    IsDefault MethodType
-------------                                    --------- ----------
System.Runtime.Serialization.ExtensionDataObject      True PhoneAppOTP
System.Runtime.Serialization.ExtensionDataObject     False PhoneAppNotification
System.Runtime.Serialization.ExtensionDataObject     False OneWaySMS
System.Runtime.Serialization.ExtensionDataObject     False TwoWayVoiceMobile

As you can see, al registered methods are listed here. Of course, you can use the count method on this property.


In my case, there are four authentication methods registered for my device. (The phone app OTP, a notification through phone, an SMS passocde and a phone call option).

Knowing this, you can easily select all user that don’t have an authentication method configured.

$NoMFAEnabled = get-msoluser -All | where {$_.StrongAuthenticationMethods.count -lt 1}

You might want to add an extra filter to not include unlicensed accounts, depending on your organisation.

$NoMFAEnabled = get-msoluser -All | where {($_.StrongAuthenticationMethods.count -lt 1) -and ($_.isLicensed -eq $false)}

This way, you can create an easy CSV-file with the names of all people that haven’t enrolled in MFA yet, so you can stalk them to do so ;)