Entra ID MFA Methods Reporting with PowerShell – Simplified & Customizable

Published by

Daniel Fraubaum

on

Entra ID MFA Methods Reporting with PowerShell – Simplified & Customizable

🔐 Multi-Factor Authentication (MFA) is a cornerstone of modern identity security. But how do you keep track of which users are registered, which methods they use, and whether they’re truly protected?

If you’ve ever wished for a simple way to generate a detailed report of MFA methods across your tenant—or even scoped to a specific group—this PowerShell script might just become your new favorite tool.

Let’s break it down. 👇

⚙️ What does the script do?

This PowerShell script connects to Microsoft Graph (including the Beta endpoint) and pulls detailed information about user authentication methods. It supports:

  • ✅ Filtering by Entra ID GroupId (optional)
  • 🚫 Excluding guest accounts
  • 📊 Exporting to CSV
  • 👀 Viewing results in a GridView

Whether you’re auditing MFA adoption, preparing for a compliance check, or just curious—this script gives you a clear picture of your tenant’s authentication landscape.

🧰 Prerequisites

Before running the script, it checks for the required modules:

  • Microsoft.Graph
  • Microsoft.Graph.Beta

If they’re missing, it installs them automatically. No manual prep needed. 🙌

🧪 How it works

Once prerequisites are in place, the script:

  1. Prompts for a CSV export path
  2. Optionally asks for a GroupId to filter users
  3. Connects to Microsoft Graph with the necessary scopes
  4. Retrieves user authentication method details
  5. Filters out guest accounts
  6. Builds a clean, structured report
  7. Displays the data in a GridView
  8. Exports the report to CSV

📋 What’s in the report?

Each user entry includes:

  • Display name & UPN
  • Admin status
  • Default MFA method
  • Registered methods
  • MFA, SSPR, and passwordless capability flags
  • Last updated timestamp

This gives you a holistic view of each user’s authentication readiness.

🧠 Why it’s useful

🔎 Security Audits – Quickly identify users without MFA or with weak configurations
📈 Adoption Tracking – Monitor rollout progress of passwordless or SSPR
🛠️ Troubleshooting – Spot inconsistencies or outdated registrations

And because it’s PowerShell, you can easily adapt it to your needs—add filters, automate exports, or integrate into larger reporting workflows.

🚀 Ready to try it?

Just run the script below, follow the prompts, and enjoy the insights.
Here’s to better visibility and stronger identity security! 💪

<#
Script: AuthMethodReport.ps1
Author: Daniel Fraubaum
Version: 1.2
Description: Generates a report of user authentication methods via Microsoft Graph.
             Optional filtering by Entra ID GroupId. Guest accounts are excluded.
#>
####################################################################
# Prerequisites
####################################################################

Write-Host "`n🔍 Checking prerequisites..." -ForegroundColor Cyan

# Check if Microsoft.Graph module is installed
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
    Write-Host "📦 Installing Microsoft.Graph module..." -ForegroundColor Yellow
    Install-Module Microsoft.Graph -Force -AllowClobber
} else {
    Write-Host "✅ Microsoft.Graph module is already installed." -ForegroundColor Green
}

# Check if Microsoft.Graph.Beta module is installed
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Beta)) {
    Write-Host "📦 Installing Microsoft.Graph.Beta module..." -ForegroundColor Yellow
    Install-Module Microsoft.Graph.Beta -Force -AllowClobber
} else {
    Write-Host "✅ Microsoft.Graph.Beta module is already installed." -ForegroundColor Green
}

####################################################################
# Initial Setup & Input
####################################################################

# Prompt for CSV export path
$CSVPath = Read-Host "📁 Enter export path for CSV (e.g. C:\Reports\authmethods.csv)"

# Prompt for optional GroupId
$GroupId = Read-Host "🔍 Enter Entra ID GroupId (leave empty to include all users)"

# Connect to Microsoft Graph
Write-Host "`n🔗 Connecting to Microsoft Graph..." -ForegroundColor Cyan
Connect-MgGraph -Scopes "AuditLog.Read.All", "Group.Read.All"

####################################################################
# Data Collection
####################################################################

try {
    if ($GroupId) {
        Write-Host "`n📋 GroupId provided. Fetching group members..." -ForegroundColor Cyan
        $GroupMembers = Get-MgGroupMember -GroupId $GroupId -All
        $GroupMemberIds = $GroupMembers.Id

        Write-Host "✅ Filtering users based on group membership and excluding guests..." -ForegroundColor Cyan
        $Users = Get-MgBetaReportAuthenticationMethodUserRegistrationDetail -All | Where-Object {
            $GroupMemberIds -contains $_.Id -and $_.UserType -ne "Guest"
        }
    }
    else {
        Write-Host "`n📋 No GroupId provided. Fetching all users (excluding guests)..." -ForegroundColor Yellow
        $Users = Get-MgBetaReportAuthenticationMethodUserRegistrationDetail -All | Where-Object {
            $_.UserType -ne "Guest"
        }
    }

    ################################################################
    # Report Construction
    ################################################################

    Write-Host "`n🛠 Building report object..." -ForegroundColor Cyan
    $Report = foreach ($User in $Users) {
        [PSCustomObject]@{
            DisplayName                                  = $User.UserDisplayName
            Id                                           = $User.Id
            UserPrincipalName                            = $User.UserPrincipalName
            IsAdmin                                      = $User.IsAdmin
            DefaultMfaMethod                             = $User.DefaultMfaMethod
            MethodsRegistered                            = $User.MethodsRegistered -join ','
            IsMfaCapable                                 = $User.IsMfaCapable
            IsMfaRegistered                              = $User.IsMfaRegistered
            IsPasswordlessCapable                        = $User.IsPasswordlessCapable
            IsSsprCapable                                = $User.IsSsprCapable
            IsSsprEnabled                                = $User.IsSsprEnabled
            IsSsprRegistered                             = $User.IsSsprRegistered
            IsSystemPreferredAuthenticationMethodEnabled = $User.IsSystemPreferredAuthenticationMethodEnabled
            LastUpdatedDateTime                          = $User.LastUpdatedDateTime
        }
    }

    ################################################################
    # Output & Export
    ################################################################

    Write-Host "`n📊 Opening GridView..." -ForegroundColor Cyan
    $Report | Out-GridView -Title "Authentication Methods Report"

    Write-Host "`n💾 Exporting report to CSV..." -ForegroundColor Cyan
    $Report | Export-Csv -Path $CSVPath -NoTypeInformation -Encoding utf8

    Write-Host "`n✅ Script completed. Report saved to:`n$CSVPath" -ForegroundColor Green
}
catch {
    ################################################################
    # Error Handling
    ################################################################
    Write-Host "`n❌ An error occurred: $_" -ForegroundColor Red
}

Leave a Reply

Your email address will not be published. Required fields are marked *