Liongard Ideas Portal

Submit and upvote ideas to make Liongard better. You get 20 votes so vote wisely. 🙂

The Product Team is constantly reading your ideas and while we can’t promise that all ideas will become a reality, we value your feedback and promise to always have our Partners in mind when building and improving Liongard.

Check out our FAQs to learn more.
See what we've shipped by clicking here!

Office 365 Inspector - Show MFA status per-user

Matt Miller
Jun 1 2019
Shipped

Inspector Data Improvement

Last Reviewed Date

2020-01-21

Dec 17, 2019

Admin response

Quick update: We know this is high value to you information. Microsoft has begun making this information on a per-user basis only in cases where a higher-end Azure AD license is available. We are working on how to best surface that data for users where it is available and clearly indicate to the user in cases where it isn't available from Microsoft at all.

Attach files

Enter a subject
Guest commented

9 Nov, 2022 03:39pm

I 100% agree with this. Since we also started to use Liongard recently I had noticed this and brought it up with our Liongard Rep as well. Currently using a script per tenant to pull the data until this gets updated.
Guest commented

2 Feb, 2022 02:20pm

This is a fundamental metric that needs to be reported on with or without the Azure P1 license. Please escalate this idea to help us all secure our clients.
matt longenecker commented

8 Jun, 2021 09:09pm

This is absolutely possible through the 365 secure app model api.
I pieced this together using the following links so credit to them.
https://www.cyberdrain.com/connect-to-exchange-online-automated-when-mfa-is-enabled-using-the-secureapp-model/
https://github.com/ruudmens/LazyAdmin/blob/master/Office365/MFAStatus.ps1

$ApplicationId = 'xxxx-xxxx-xxxx-xxxx-xxx'
$ApplicationSecret = 'YOURSECRET' | Convertto-SecureString -AsPlainText -Force
$TenantID = 'xxxxxx-xxxx-xxx-xxxx--xxx'
$RefreshToken = 'LongResourcetoken'
$ExchangeRefreshToken = 'LongExchangeToken'
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$msolusers = Get-MsolUser -TenantId 'TENENT ID of customer' -EnabledFilter EnabledOnly | Where-Object {$_.IsLicensed -eq $true} | Sort-Object UserPrincipalName
foreach ($MsolUser in $MsolUsers) {
[PSCustomObject]@{
DisplayName = $MsolUser.DisplayName
UserPrincipalName = $MsolUser.UserPrincipalName
isAdmin = if ($listAdmins -and $admins.EmailAddress -match $MsolUser.UserPrincipalName) {$true} else {"-"}
MFAEnabled = if ($MsolUser.StrongAuthenticationMethods) {$true} else {$false}
MFAType = $MsolUser.StrongAuthenticationMethods | Where-Object {$_.IsDefault -eq $true} | Select-Object -ExpandProperty MethodType
MFAEnforced = if ($MsolUser.StrongAuthenticationRequirements) {$true} else {"-"}
}
}
Toby Stephenson commented

5 Feb, 2021 11:22pm

I am sure this data can be pulled via Powershell, regardless of AAD Plan. Agree totally on Alex Membrey comments - this detail is important
Guest commented

13 Jul, 2020 03:53pm

I'm able to pull this information from MSOL using the $user.strongauthenticationrequirements properties including "state", "methodtype" (isdefault subproperty) "phonenumber", "alternativephonenumber", "email"
Admin

Daniela Weisz commented

29 May, 2020 02:16pm

Hi Dave,
That's correct. We're only able to capture this information based on the access Microsoft provides and currently we're only able to capture the MFA status of users for accounts with an Azure AD Premium P1 license or higher.
Guest commented

22 May, 2020 05:37pm

Was this considered shipped even though it requires the Azure AD Premium license? I'm seeing unknown for all my tenants.
Guest commented

9 Apr, 2020 04:32pm

It's worth also noting that Microsoft have MFA implemented in two different ways. Enforcement on a per user basis and also via conditional access.
So also having an MFA registered/enrolled state and by which authentication type would be useful.
Josh Kelly commented

2 Oct, 2019 09:49pm

Sent from my iPhone

Kind Regards,
Josh Kelly
Service Manager

P: 1300 688 020
M: 0447 805 457
E: josh.kelly@hdit.com.au

Technical Support: support@hdit.com.au
Quotes & Sales: sales@hdit.com.au
The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without the written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. Please consider the environment before printing this email.��

image252261.png

image025573.png

image101877.png

image636610.png

image252261.png
View full size image
image025573.png
View full size image
image101877.png
View full size image
image636610.png
View full size image
image252261.png image025573.png image101877.png image636610.png
Guest commented

1 Oct, 2019 06:34pm

This is becoming a key security requirement and would be nice to report and alert on it.
andrew stafford commented

15 Aug, 2019 01:26pm

This could help with the alerts also. We like the alerts that alert on MFA not being enabled for certain users but it does not show which users.

+24

27 Vote

Alert for if an enabled account has MFA (O365/Azure AD) Merged

No description provided

Created 20 Sep 01:50pm by Guest

Alerts and Change Detection Content

5 Shipped