How to Check if All Azure Users Have MFA Enabled

Ensure Azure security by verifying that MFA is enabled for all users. Discover how to find and remove any non-compliant accounts step-by-step.

Patrick Londa
Author
Jun 5, 2023
 • 
4
 min read
Share this post

Multi-factor authentication (MFA) is a prominent security tool for organizations to confirm that only authorized users can access their Azure accounts.

If any Azure user doesn’t have MFA enabled, their account is more vulnerable and could pose a larger security risk to your organization. You can protect your organization by checking to see if any users do not have MFA enabled and instructing them to update their settings.

In this guide, we’ll show you how to find all Azure users without MFA enabled and notify them to update their security settings.

Checking If Any Azure Users Do Not Have MFA Enabled

If you want to do this manually, you can check the MFA status of your users with the Azure Console or the Azure PowerShell.

If you want to save time by automating this task, scroll down to see how you can do it with Blink.

Using the Azure Console Method:

You can use the Azure console to manually check whether a user has MFA enabled. This process involves going through each user’s account settings in the Azure portal and checking that MFA is enabled for each user.

Here are the console steps to see which Azure users do not have MFA enabled:

  1. Log in to the Azure portal as a Global administrator.
  2. From the portal, navigate to the Azure Active Directory blade.
  3. Select the Users option from the left menu and then select All users to view all the users in your Azure environment.
  4. Click on a user’s name and then select Manage User to check if a user has MFA enabled. Under Security info, you can view all the multi-factor authentication methods enabled for a user.
  5. If none of the multi-factor authentication methods are enabled, then the user does not have MFA enabled.
  6. Repeat this process for all users in your Azure environment.

Using the Azure PowerShell Method:

Compared to the Azure console method, the Azure PowerShell method allows you to directly get a list of all Azure users without MFA enabled. If you use PowerShell often, this method may be the easier approach.

Before you start, make sure that you have already installed the Microsoft Graph PowerShell SDK. You can find installation instructions here.

Here are the steps to find the status of all Azure users via the Microsoft Entra sign-ins report so you can enforce MFA compliance:

  1. First, you can get a list of all users who have registered for MFA by using the following command:
Get-MgUser -All | Where-Object {$_.StrongAuthenticationMethods -ne $null
-and $_.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName
  1. Next, you can get a list of all users who are not registered for MFA by running this PowerShell command:
Get-MgUser -All | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0
-and $_.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName
  1. For more details on the authentication methods for each user, you can run this command to export the information as a CSV file:
Get-MgUser -All | Select-Object
@{N='UserPrincipalName';E={$_.UserPrincipalName}},@{N='MFA Status';E={if
($_.StrongAuthenticationRequirements.State){$_.StrongAuthenticationRequirements.State}
else {"Disabled"}}},@{N='MFA Methods';E={$_.StrongAuthenticationMethods.methodtype}}
| Export-Csv -Path c:\MFA_Report.csv -NoTypeInformation

With these lists, you can then notify non-compliance employees and share the instructions for enabling MFA for their accounts.

Automate MFA Compliance Checks with Blink Copilot

While the above methods will let you find out whether Azure users have MFA enabled, they may be tedious and time-consuming, especially for larger organizations with hundreds or thousands of users.

Even when you have a list of all non-compliant users, you still have to manually notify them and follow-up to validate that they have enabled MFA for their accounts.

With Blink Copilot, you can just type a simple prompt to generate an automated workflow to handle this task.

 

This workflow automatically handles the following steps:

  1. Finds all users in Azure Active Directory who do not have MFA enabled.
  2. Lists all Azure users with insufficient security settings and add them to a new Jira ticket.
  3. Sends a notification with a link to the Jira ticket to the #Security Slack channel.

If you need different steps or actions to fit your organization's needs, just add them to your prompt. Blink has hundreds of native integrations and Blink Copilot has been trained to know how to convert text prompts into automated actions, with no coding needed. For example, you can schedule this check to run regularly or add actions to notify end users via Microsoft Teams or email instead of Slack.

Generate your own workflows from scratch (try it here!), or you can use pre-built automated workflows for common tasks from the Blink Library.

Get started with Blink today to see how easy automation can be.