This last week I needed to create a report on the current status of O365 users MFA registrations. I needed to make sure that people who now needed to work remotely were protected by MFA and that they were all registered.

There was a number of attributes that I needed to pull that would help identify the users and also understand why they had not registered. To do this, I used the following script.

#Connect to O365 tenant
Connect-MsolService 

#This is optional, but in my case I needed to excluded a group of users from the report, typically if #these are generic accounts
$MFAGroup = (Get-MsolGroupMember -GroupObjectId [object ID of group] -MemberObjectTypes User -All | 
Get-MsolUser | Where {$_.UserPrincipalName} | Select UserPrincipalName)

#This part will now pull all the MFA status for any user that is Licensed in O365 and is not a member of #the Group listed above
Get-MsolUser -All | Where-Object {$_.islicensed} | Where-Object {$_.UserPrincipalName -notin $MFAGroup.UserPrincipalName} |
Select DisplayName,UserPrincipalName,BlockCredential,UsageLocation, Department,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods|Where IsDefault -eq $True).MethodType} else { "Unregistered"}}},@{e={$_.ProxyAddresses -cmatch '^SMTP\:.*'};name='Primaryaddress'} | 
Export-csv c:\temp\mfastatus-18-03-1000hrs.csv -NoTypeInformation