ANAVEM
EnglishFrancais
ANAVEM
Reference
Languagefr
How to Check MFA Status for Users in Microsoft Entra ID

How to Check MFA Status for Users in Microsoft Entra ID

Learn to view and export Multi-Factor Authentication status for all users in your Microsoft Entra ID tenant using both GUI methods and PowerShell automation with Microsoft Graph.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 17, 2026 15 min 6
mediummfa 7 steps 15 min

Why Monitor MFA Status in Microsoft Entra ID?

With Microsoft's mandatory MFA enforcement deadlines approaching in 2026, monitoring Multi-Factor Authentication status across your tenant has become critical for security and compliance. The October 1, 2026 deadline for Azure portal access and the December 31, 2026 final compliance deadline mean organizations must have comprehensive visibility into their users' authentication methods.

Microsoft Entra ID provides multiple approaches to check MFA status, from quick GUI-based reviews to comprehensive PowerShell automation. Understanding which users have MFA enabled, what authentication methods they're using, and identifying compliance gaps helps you maintain security while ensuring users don't lose access to critical resources.

What Authentication Methods Should You Monitor?

Modern MFA in Microsoft Entra ID supports various authentication methods with different security levels. Strong methods include Microsoft Authenticator, FIDO2 security keys, Windows Hello for Business, and phone authentication. Weaker methods like email authentication provide some protection but may not meet future compliance requirements.

The reporting methods covered in this tutorial help you identify users relying on weak authentication methods, track adoption of stronger methods like passwordless authentication, and generate compliance reports for management. Whether you need a quick status check for a few users or comprehensive reporting for thousands of accounts, these techniques provide the visibility you need to maintain security and meet Microsoft's evolving MFA requirements.

Related: What is PowerShell? Definition, How It Works & Use Cases

Related: Windows Maintenance Tool

Related: How to Bulk Import Users into Microsoft 365 with PowerShell

Related: How to Export BitLocker Recovery Keys from Active Directory

Related: How to Force Password Changes for All Users in Microsoft 365

Implementation Guide

Full Procedure

01

Access MFA Status Through Microsoft Entra Admin Center

Start by navigating to the Microsoft Entra admin center to view MFA status through the graphical interface. This method provides real-time visibility into user authentication methods.

Open your web browser and navigate to https://entra.microsoft.com. Sign in with your administrative account that has Authentication Admin or Global Admin privileges.

In the left navigation pane, expand Protection and select Authentication methods. This section contains all authentication-related reporting and configuration options.

Click on User registration details to access the comprehensive authentication status dashboard. This view shows you critical columns including Multifactor authentication capable, Default multifactor authentication method, and Methods registered.

Pro tip: Use the filter options at the top to focus on specific user groups or authentication states. You can filter by MFA capable status, specific authentication methods, or user roles to narrow down your results.

Verification: You should see a table displaying all users with their MFA status. Look for the green checkmarks in the "Multifactor authentication capable" column to identify users who have MFA properly configured.

02

Install and Configure Microsoft Graph PowerShell SDK

For bulk reporting and automation, you'll need the Microsoft Graph PowerShell SDK. This allows you to programmatically retrieve MFA status for hundreds or thousands of users.

Open PowerShell as Administrator and install the required modules:

Install-Module Microsoft.Graph -Repository PSGallery -Force
Install-Module Microsoft.Graph.Authentication -Force
Install-Module Microsoft.Graph.Users -Force
Install-Module Microsoft.Graph.Reports -Force

After installation, import the necessary modules for your session:

Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.Reports

Connect to Microsoft Graph with the required permissions. You need specific scopes to read user authentication methods:

Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Green
Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All", "AuditLog.Read.All"
Warning: The connection will open a browser window for authentication. Make sure you sign in with an account that has the necessary administrative privileges.

Verification: Run Get-MgContext to confirm your connection is established and check which scopes are available.

03

Query Individual User MFA Status

Before running bulk reports, test your connection by checking MFA status for a single user. This helps you understand the data structure and verify your permissions.

Retrieve all authentication methods for a specific user:

Get-MgUserAuthenticationMethod -UserId "user@yourdomain.com"

To filter for specific authentication method types, use the OdataType property. For example, to check only phone authentication methods:

Get-MgUserAuthenticationMethod -UserId "user@yourdomain.com" | Where-Object {$_.AdditionalProperties["@odata.type"] -eq "#microsoft.graph.phoneAuthenticationMethod"}

Check for Microsoft Authenticator app registrations:

Get-MgUserAuthenticationMethod -UserId "user@yourdomain.com" | Where-Object {$_.AdditionalProperties["@odata.type"] -eq "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"}

The output will show you detailed information about each registered authentication method, including when it was registered and its current status.

Pro tip: Save the output to a variable first: $userMethods = Get-MgUserAuthenticationMethod -UserId "user@domain.com", then explore the data structure with $userMethods | Format-List *

Verification: The command should return authentication method objects. If you get an empty result, the user either has no MFA methods configured or you lack sufficient permissions.

04

Create Comprehensive MFA Status Report Script

Now create a PowerShell script that generates a complete MFA status report for all users in your tenant. This script processes each user and determines their MFA capability based on registered authentication methods.

Create a new PowerShell script file called Get-MFAStatus.ps1 with the following content:

# Get-MFAStatus.ps1
# Comprehensive MFA status report for Microsoft Entra ID

param(
    [string]$ExportPath = "C:\Reports\MFA-Status-Report-$(Get-Date -Format 'yyyy-MM-dd-HHmm').csv"
)

# Import required modules
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.Reports

# Connect to Microsoft Graph
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Green
Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All", "AuditLog.Read.All"

# Initialize results array
$results = @()

# Get all users in the tenant
Write-Host "Retrieving user list..." -ForegroundColor Yellow
$users = Get-MgUser -All -Property DisplayName,UserPrincipalName,Id,AccountEnabled,CreatedDateTime

Write-Host "Processing $($users.Count) users..." -ForegroundColor Yellow

foreach ($user in $users) {
    Write-Progress -Activity "Processing Users" -Status "Checking $($user.DisplayName)" -PercentComplete (($results.Count / $users.Count) * 100)

    try {
        # Get authentication methods for each user
        $authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id -ErrorAction SilentlyContinue

        # Determine MFA capability and registered methods
        $mfaCapable = $false
        $registeredMethods = @()
        $defaultMethod = "None"
        $strongMethods = 0

        if ($authMethods) {
            foreach ($method in $authMethods) {
                switch ($method.AdditionalProperties["@odata.type"]) {
                    "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod" {
                        $registeredMethods += "Microsoft Authenticator"
                        $mfaCapable = $true
                        $strongMethods++
                    }
                    "#microsoft.graph.phoneAuthenticationMethod" {
                        $registeredMethods += "Phone"
                        $mfaCapable = $true
                        $strongMethods++
                    }
                    "#microsoft.graph.emailAuthenticationMethod" {
                        $registeredMethods += "Email"
                    }
                    "#microsoft.graph.fido2AuthenticationMethod" {
                        $registeredMethods += "FIDO2 Security Key"
                        $mfaCapable = $true
                        $strongMethods++
                    }
                    "#microsoft.graph.softwareOathAuthenticationMethod" {
                        $registeredMethods += "Software OATH Token"
                        $mfaCapable = $true
                        $strongMethods++
                    }
                    "#microsoft.graph.temporaryAccessPassAuthenticationMethod" {
                        $registeredMethods += "Temporary Access Pass"
                    }
                    "#microsoft.graph.windowsHelloForBusinessAuthenticationMethod" {
                        $registeredMethods += "Windows Hello for Business"
                        $mfaCapable = $true
                        $strongMethods++
                    }
                }
            }
        }

        # Determine default method priority
        if ($registeredMethods -contains "Microsoft Authenticator") {
            $defaultMethod = "Microsoft Authenticator"
        } elseif ($registeredMethods -contains "FIDO2 Security Key") {
            $defaultMethod = "FIDO2 Security Key"
        } elseif ($registeredMethods -contains "Phone") {
            $defaultMethod = "Phone"
        } elseif ($registeredMethods -contains "Windows Hello for Business") {
            $defaultMethod = "Windows Hello for Business"
        }

        # Create result object
        $result = [PSCustomObject]@{
            DisplayName = $user.DisplayName
            UserPrincipalName = $user.UserPrincipalName
            AccountEnabled = $user.AccountEnabled
            MFACapable = $mfaCapable
            StrongMethodCount = $strongMethods
            DefaultMFAMethod = $defaultMethod
            RegisteredMethods = ($registeredMethods -join "; ")
            MethodCount = $registeredMethods.Count
            UserCreated = $user.CreatedDateTime
            ProcessedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
        }

        $results += $result
    }
    catch {
        Write-Warning "Failed to process user $($user.DisplayName): $($_.Exception.Message)"
    }
}

# Create export directory if it doesn't exist
$exportDir = Split-Path $ExportPath -Parent
if (!(Test-Path $exportDir)) {
    New-Item -ItemType Directory -Path $exportDir -Force
}

# Export results to CSV
Write-Host "Exporting results to $ExportPath..." -ForegroundColor Green
$results | Export-Csv -Path $ExportPath -NoTypeInformation -Encoding UTF8

# Display summary statistics
Write-Host "\nMFA Status Report Summary:" -ForegroundColor Cyan
Write-Host "========================" -ForegroundColor Cyan
Write-Host "Total users processed: $($results.Count)" -ForegroundColor White
Write-Host "MFA capable users: $(($results | Where-Object {$_.MFACapable -eq $true}).Count)" -ForegroundColor Green
Write-Host "Non-MFA users: $(($results | Where-Object {$_.MFACapable -eq $false}).Count)" -ForegroundColor Red
Write-Host "Disabled accounts: $(($results | Where-Object {$_.AccountEnabled -eq $false}).Count)" -ForegroundColor Yellow
Write-Host "Report saved to: $ExportPath" -ForegroundColor Cyan

# Disconnect from Microsoft Graph
Disconnect-MgGraph

Run the script from PowerShell:

.\Get-MFAStatus.ps1 -ExportPath "C:\Reports\MFA-Report.csv"
Warning: For large tenants (1000+ users), this script may take 10-30 minutes to complete. Run it during off-hours to avoid impacting other administrative tasks.

Verification: Check that the CSV file is created at your specified path and contains columns for DisplayName, UserPrincipalName, MFACapable, and RegisteredMethods.

05

Analyze MFA Compliance Using Advanced Filtering

After generating your MFA status report, you need to analyze the data to identify compliance gaps and security risks. This step shows you how to filter and interpret the results effectively.

Load your exported CSV file back into PowerShell for analysis:

$mfaReport = Import-Csv -Path "C:\Reports\MFA-Report.csv"

# Display users without MFA
Write-Host "Users without MFA capability:" -ForegroundColor Red
$nonMFAUsers = $mfaReport | Where-Object {$_.MFACapable -eq "False" -and $_.AccountEnabled -eq "True"}
$nonMFAUsers | Select-Object DisplayName, UserPrincipalName, RegisteredMethods | Format-Table -AutoSize

# Show users with only weak authentication methods
Write-Host "\nUsers with only email authentication:" -ForegroundColor Yellow
$emailOnlyUsers = $mfaReport | Where-Object {$_.RegisteredMethods -eq "Email" -and $_.AccountEnabled -eq "True"}
$emailOnlyUsers | Select-Object DisplayName, UserPrincipalName | Format-Table -AutoSize

# Display users with strong MFA methods
Write-Host "\nUsers with strong MFA (Authenticator/FIDO2):" -ForegroundColor Green
$strongMFAUsers = $mfaReport | Where-Object {($_.RegisteredMethods -like "*Microsoft Authenticator*" -or $_.RegisteredMethods -like "*FIDO2*") -and $_.AccountEnabled -eq "True"}
Write-Host "Count: $($strongMFAUsers.Count)"

# Calculate compliance percentage
$totalActiveUsers = ($mfaReport | Where-Object {$_.AccountEnabled -eq "True"}).Count
$mfaCapableUsers = ($mfaReport | Where-Object {$_.MFACapable -eq "True" -and $_.AccountEnabled -eq "True"}).Count
$compliancePercentage = [math]::Round(($mfaCapableUsers / $totalActiveUsers) * 100, 2)

Write-Host "\nMFA Compliance Summary:" -ForegroundColor Cyan
Write-Host "Total active users: $totalActiveUsers"
Write-Host "MFA capable users: $mfaCapableUsers"
Write-Host "Compliance rate: $compliancePercentage%"

if ($compliancePercentage -lt 95) {
    Write-Host "WARNING: MFA compliance below 95% - Action required before October 2026 deadline!" -ForegroundColor Red
}

Create a focused report for users who need immediate attention:

# Generate priority action list
$priorityUsers = $mfaReport | Where-Object {
    $_.AccountEnabled -eq "True" -and 
    ($_.MFACapable -eq "False" -or $_.RegisteredMethods -eq "Email")
} | Select-Object DisplayName, UserPrincipalName, RegisteredMethods, UserCreated

# Export priority list
$priorityUsers | Export-Csv -Path "C:\Reports\MFA-Priority-Actions.csv" -NoTypeInformation
Write-Host "Priority action list exported to C:\Reports\MFA-Priority-Actions.csv" -ForegroundColor Yellow
Pro tip: Set up automated monthly reports by scheduling this script as a Windows Task. This helps you track MFA adoption progress and identify new users who need MFA setup.

Verification: Your analysis should show clear numbers for MFA-capable vs non-MFA users, helping you understand your current compliance status against the October 2026 deadline.

06

Use Microsoft 365 Admin Center for Quick MFA Overview

The Microsoft 365 Admin Center provides an alternative method for viewing MFA status, especially useful for quick checks and executive reporting.

Navigate to the Microsoft 365 Admin Center at https://admin.microsoft.com and sign in with your administrative credentials.

In the left navigation menu, expand Reports and select Usage. Look for the authentication-related reports in the available options.

Click on Authentication methods under the Security section. This report shows you registration and usage statistics for various authentication methods across your tenant.

For detailed per-user MFA status, navigate to UsersActive users in the admin center. Select a user and click on their profile to view their authentication methods in the Account tab.

Pro tip: Use the "Export users" feature in the Active users section to get a basic CSV export that includes some MFA-related fields, though it's less comprehensive than the PowerShell method.

To access the legacy per-user MFA settings (still available in 2026), go to UsersActive users, then click Multi-factor authentication at the top of the user list. This opens the classic MFA management interface.

In the per-user MFA interface, you can see three status levels:

  • Disabled: User has no MFA enforcement
  • Enabled: User is required to register for MFA on next sign-in
  • Enforced: User must use MFA for all sign-ins

Verification: You should see a clear overview of MFA registration rates and can drill down into individual user details. The reports here complement the detailed PowerShell analysis from previous steps.

07

Set Up Automated MFA Monitoring and Alerts

Establish ongoing monitoring to track MFA adoption and identify users who disable or remove their authentication methods. This is crucial for maintaining security posture as you approach the 2026 compliance deadlines.

Create a monitoring script that can be scheduled to run weekly:

# MFA-Monitor.ps1
# Weekly MFA status monitoring with email alerts

param(
    [string]$SMTPServer = "smtp.office365.com",
    [string]$From = "mfa-monitor@yourdomain.com",
    [string]$To = "security-team@yourdomain.com",
    [string]$ReportPath = "C:\Reports\Weekly-MFA-Monitor.csv"
)

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All" -NoWelcome

# Get current MFA status
$users = Get-MgUser -All -Property DisplayName,UserPrincipalName,Id,AccountEnabled,CreatedDateTime
$currentResults = @()

foreach ($user in $users) {
    if ($user.AccountEnabled) {
        $authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id -ErrorAction SilentlyContinue
        $mfaCapable = $false
        $methodCount = 0
        
        if ($authMethods) {
            foreach ($method in $authMethods) {
                $methodType = $method.AdditionalProperties["@odata.type"]
                if ($methodType -in @(
                    "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod",
                    "#microsoft.graph.phoneAuthenticationMethod",
                    "#microsoft.graph.fido2AuthenticationMethod",
                    "#microsoft.graph.softwareOathAuthenticationMethod",
                    "#microsoft.graph.windowsHelloForBusinessAuthenticationMethod"
                )) {
                    $mfaCapable = $true
                    $methodCount++
                }
            }
        }
        
        $currentResults += [PSCustomObject]@{
            UserPrincipalName = $user.UserPrincipalName
            DisplayName = $user.DisplayName
            MFACapable = $mfaCapable
            MethodCount = $methodCount
            CheckDate = Get-Date -Format "yyyy-MM-dd"
        }
    }
}

# Compare with previous week's results if available
$previousReportPath = $ReportPath -replace "\.csv$", "-Previous.csv"
$newIssues = @()
$resolvedIssues = @()

if (Test-Path $previousReportPath) {
    $previousResults = Import-Csv $previousReportPath
    
    # Find users who lost MFA capability
    foreach ($current in $currentResults) {
        $previous = $previousResults | Where-Object {$_.UserPrincipalName -eq $current.UserPrincipalName}
        if ($previous -and $previous.MFACapable -eq "True" -and $current.MFACapable -eq $false) {
            $newIssues += "$($current.DisplayName) ($($current.UserPrincipalName)) lost MFA capability"
        }
    }
    
    # Find users who gained MFA capability
    foreach ($current in $currentResults) {
        $previous = $previousResults | Where-Object {$_.UserPrincipalName -eq $current.UserPrincipalName}
        if ($previous -and $previous.MFACapable -eq "False" -and $current.MFACapable -eq $true) {
            $resolvedIssues += "$($current.DisplayName) ($($current.UserPrincipalName)) enabled MFA"
        }
    }
}

# Export current results
$currentResults | Export-Csv -Path $ReportPath -NoTypeInformation

# Archive previous results
if (Test-Path $ReportPath) {
    Copy-Item $ReportPath $previousReportPath -Force
}

# Send email alert if there are issues
if ($newIssues.Count -gt 0 -or $resolvedIssues.Count -gt 0) {
    $emailBody = @"
Weekly MFA Status Update
========================

New MFA Issues ($($newIssues.Count)):
$($newIssues -join "`n")

Resolved Issues ($($resolvedIssues.Count)):
$($resolvedIssues -join "`n")

Current Statistics:
Total Active Users: $($currentResults.Count)
MFA Capable: $(($currentResults | Where-Object {$_.MFACapable -eq $true}).Count)
Non-MFA Users: $(($currentResults | Where-Object {$_.MFACapable -eq $false}).Count)

Report generated: $(Get-Date)
"@

    # Send email (requires configured SMTP)
    try {
        Send-MailMessage -SmtpServer $SMTPServer -From $From -To $To -Subject "Weekly MFA Status Alert" -Body $emailBody
        Write-Host "Alert email sent successfully" -ForegroundColor Green
    }
    catch {
        Write-Warning "Failed to send email alert: $($_.Exception.Message)"
    }
}

Disconnect-MgGraph

Schedule this script to run weekly using Windows Task Scheduler:

# Create scheduled task for weekly MFA monitoring
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MFA-Monitor.ps1"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 9:00AM
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount

Register-ScheduledTask -TaskName "Weekly MFA Status Monitor" -Action $action -Trigger $trigger -Settings $settings -Principal $principal
Warning: Remember that the October 2026 deadline for Azure portal MFA enforcement is approaching. Users without MFA will lose access to Azure resources, so proactive monitoring is essential.

Verification: Test the monitoring script manually first, then check that the scheduled task appears in Task Scheduler and runs successfully on the designated schedule.

Frequently Asked Questions

What's the difference between MFA capable and MFA enforced in Microsoft Entra ID?+
MFA capable means a user has registered at least one strong authentication method (like Microsoft Authenticator or phone) but may not be required to use it. MFA enforced means the user must complete multi-factor authentication for every sign-in. With the 2026 deadlines approaching, Microsoft is moving toward automatic enforcement for all Azure portal access regardless of per-user settings.
Can I check MFA status for guest users in my Microsoft Entra ID tenant?+
Yes, guest users appear in MFA status reports, but their authentication methods are managed by their home tenant. The PowerShell scripts in this tutorial will show guest users, but you cannot modify their MFA settings. Guest users must configure MFA in their own organization's tenant to meet your conditional access requirements.
Why does my PowerShell script show different MFA numbers than the admin center?+
Discrepancies usually occur due to timing differences in data synchronization or different filtering criteria. The admin center may cache data for performance, while PowerShell queries real-time Graph API data. Also, some reports include disabled accounts while others filter them out. Always verify your filtering criteria match between methods.
What happens to users without MFA after the October 2026 Azure portal deadline?+
Starting October 1, 2026, users without MFA will be blocked from accessing the Azure portal, Azure CLI, Azure PowerShell, and Azure mobile app. They'll receive prompts to register for MFA but cannot proceed until they complete registration. This enforcement is automatic and cannot be disabled, making proactive MFA deployment essential.
How often should I run MFA status reports for my organization?+
For organizations approaching the 2026 deadlines, weekly monitoring is recommended to track adoption progress and identify users who remove authentication methods. Monthly reports are sufficient for maintenance after achieving full compliance. Set up automated monitoring using the PowerShell scripts provided to catch changes immediately and ensure continuous compliance.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#mfa#entra-id#powershell

Further Intelligence

Deepen your knowledge with related resources

How to Install Office 365 Offline for Enterprise Deployment
tutorial
General

How to Install Office 365 Offline for Enterprise Deployment

Deep Dive
How to Bulk Import Active Directory Users from CSV Using PowerShell
tutorial
DevOps

How to Bulk Import Active Directory Users from CSV Using PowerShell

Deep Dive
How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server
tutorial
Networking

How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...