This Microsoft Azure post will show how to Identify Azure users without MFA Using PowerShell.
If you are a Microsoft Azure customer and recently logged into the Microsoft Azure portal, you have probably seen the notification that from October 15th, 2024, Azure will enforce MFA for all users.
This change has no exceptions and will apply to any Azure/Entra ID account. In the past, Microsoft enabled Security Defaults on all new tenants, which enforced MFA.
The problem with Security Defaults is that you can easily disable the feature and log in to Azure without MFA.
To help companies prepare for the change, Microsoft has made a few tools available to find users that do not use MFA.
In this article, we will show you one of these tools. The following PowerShell script uses Microsoft Graph for PowerShell and creates a report that shows all the users that signed in to Azure in the last 30 days and if MFA is enabled on their account.
https://azuread.github.io/MSIdentityTools/commands/Export-MsIdAzureMfaReport
Identify Azure Users Without MFA Using PowerShell
After installing Graph for PowerShell, log in to Azure using the following cmdlet:
Connect-MgGraph -Scopes Directory.Read.All, AuditLog.Read.All, UserAuthenticationMethod.Read.AllAfter successfully connecting to Azure, run the following cmdlet to create the report:
Export-MsIdAzureMfaReport .\report.xlsxThe report also offers a readiness tab with more details.
The impact of not preparing for these changes can be serious for many organizations that do not use App Registration service accounts like SMTP mail relay.
Related Articles
If your organization needs help transitioning to App Registration-based service accounts, contact us using the form below.