Liongard Ideas Portal

Submit and upvote ideas to make Liongard better. You get 20 votes so vote wisely. 🙂


The Product Team is constantly reading your ideas and while we can’t promise that all ideas will become a reality, we value your feedback and promise to always have our Partners in mind when building and improving Liongard.

Check out our FAQs to learn more.

See what we've shipped by clicking here!

Office 365 Inspector - Show MFA status per-user

  • Matt Miller
  • Jun 1 2019
  • Shipped
Last Reviewed Date 2020-01-21
  • Dec 17, 2019

    Admin response

    Quick update: We know this is high value to you information. Microsoft has begun making this information on a per-user basis only in cases where a higher-end Azure AD license is available. We are working on how to best surface that data for users where it is available and clearly indicate to the user in cases where it isn't available from Microsoft at all.

  • Attach files
  • Guest commented
    2 Feb 02:20pm

    This is a fundamental metric that needs to be reported on with or without the Azure P1 license. Please escalate this idea to help us all secure our clients.

  • matt longenecker commented
    8 Jun, 2021 09:09pm

    This is absolutely possible through the 365 secure app model api.

    I pieced this together using the following links so credit to them.

    https://www.cyberdrain.com/connect-to-exchange-online-automated-when-mfa-is-enabled-using-the-secureapp-model/

    https://github.com/ruudmens/LazyAdmin/blob/master/Office365/MFAStatus.ps1


    $ApplicationId = 'xxxx-xxxx-xxxx-xxxx-xxx'

    $ApplicationSecret = 'YOURSECRET' | Convertto-SecureString -AsPlainText -Force

    $TenantID = 'xxxxxx-xxxx-xxx-xxxx--xxx'

    $RefreshToken = 'LongResourcetoken'

    $ExchangeRefreshToken = 'LongExchangeToken'

    $credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)

    $aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID

    $graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID

    Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken

    $msolusers = Get-MsolUser -TenantId 'TENENT ID of customer' -EnabledFilter EnabledOnly | Where-Object {$_.IsLicensed -eq $true} | Sort-Object UserPrincipalName

    foreach ($MsolUser in $MsolUsers) {

    [PSCustomObject]@{

    DisplayName = $MsolUser.DisplayName

    UserPrincipalName = $MsolUser.UserPrincipalName

    isAdmin = if ($listAdmins -and $admins.EmailAddress -match $MsolUser.UserPrincipalName) {$true} else {"-"}

    MFAEnabled = if ($MsolUser.StrongAuthenticationMethods) {$true} else {$false}

    MFAType = $MsolUser.StrongAuthenticationMethods | Where-Object {$_.IsDefault -eq $true} | Select-Object -ExpandProperty MethodType

    MFAEnforced = if ($MsolUser.StrongAuthenticationRequirements) {$true} else {"-"}

    }

    }



  • Toby Stephenson commented
    5 Feb, 2021 11:22pm

    I am sure this data can be pulled via Powershell, regardless of AAD Plan. Agree totally on Alex Membrey comments - this detail is important

  • Guest commented
    13 Jul, 2020 03:53pm

    I'm able to pull this information from MSOL using the $user.strongauthenticationrequirements properties including "state", "methodtype" (isdefault subproperty) "phonenumber", "alternativephonenumber", "email"

  • Admin
    Daniela Weisz commented
    29 May, 2020 02:16pm

    Hi Dave,
    That's correct. We're only able to capture this information based on the access Microsoft provides and currently we're only able to capture the MFA status of users for accounts with an Azure AD Premium P1 license or higher.

  • Guest commented
    22 May, 2020 05:37pm

    Was this considered shipped even though it requires the Azure AD Premium license? I'm seeing unknown for all my tenants.

  • Guest commented
    9 Apr, 2020 04:32pm

    It's worth also noting that Microsoft have MFA implemented in two different ways. Enforcement on a per user basis and also via conditional access.

    So also having an MFA registered/enrolled state and by which authentication type would be useful.

  • Josh Kelly commented
    2 Oct, 2019 09:49pm

    Sent from my iPhone

    Kind Regards,
    Josh Kelly
    Service Manager

    P: 1300 688 020
    M: 0447 805 457
    E: josh.kelly@hdit.com.au

    Technical Support: support@hdit.com.au
    Quotes & Sales: sales@hdit.com.au
    The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without the written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. Please consider the environment before printing this email.���

  • Guest commented
    1 Oct, 2019 06:34pm

    This is becoming a key security requirement and would be nice to report and alert on it. 

  • andrew stafford commented
    15 Aug, 2019 01:26pm

    This could help with the alerts also. We like the alerts that alert on MFA not being enabled for certain users but it does not show which users.  

  • +21