As organizations embrace security best practices, enabling Multi-Factor Authentication (MFA) has become a critical requirement for securing access to applications and services. Microsoft provides multiple methods for MFA, one of the most commonly used being the Microsoft Authenticator app.
In this blog, we’ll walk through how to identify how many Entra IDs have MS Authenticator enabled within your Azure Active Directory environment.
Why is MS Authenticator Important?
Microsoft Authenticator is an application that generates time-based one-time passcodes (TOTP) and pushes notifications for authentication requests. It’s part of the MFA process, adding an additional layer of protection beyond just passwords. Enabling MS Authenticator for users ensures a higher level of security, especially against phishing, password spraying, and other types of cyber attacks.
Why Automate Identifying Entra IDs with MS Authenticator?
By automating the process of identifying users who have MS Authenticator enabled, administrators can:
- Monitor MFA Adoption: Ensure that users are leveraging multi-factor authentication.
- Compliance and Security Auditing: Stay compliant with organizational or regulatory security requirements.
- Troubleshooting and Reporting: Quickly identify and resolve MFA-related login issues.
The PowerShell Command to Identify Entra IDs with MS Authenticator
To identify Entra IDs that are using MS Authenticator for MFA, we will use PowerShell commands with either the AzureAD or MSOnline module.
Below are the two methods for identifying Entra IDs with MS Authenticator enabled:
Steps to List Users with MS Authenticator Enabled:
1. Install and Import the MSOnline Module (if not already done):
powershellCopyInstall-Module -Name MSOnline
Import-Module MSOnline
2. Connect to Your MSOnline Instance:
powershellCopyConnect-MsolService
3. Run the Following Script to List Users with MS Authenticator Enabled:
$usersWithMFA = Get-MsolUser -All | Where-Object {
$_.StrongAuthenticationMethods -ne $null -and
$_.BlockCredential -eq $false
}
$usersWithMFA | Select DisplayName, UserPrincipalName, StrongAuthenticationMethods
Explanation:
- Install and Import the MSOnline Module: This step ensures that the MSOnline module is available on your machine. If it’s already installed, the
Import-Modulecommand will load it into your session. - Connect to MSOnline: This command establishes a connection to your Microsoft Online Services instance using your credentials.
- Script for Users with MS Authenticator Enabled: The PowerShell script filters out any blocked users (
$_.BlockCredential -eq $false) and checks if they have eitherMobileAppNotificationorMobileAppOTPas their strong authentication methods. These are the methods used by Microsoft Authenticator. - Display the Results: The command at the end,
$usersWithMSAuth | Select DisplayName, UserPrincipalName, filters out and displays the user’s display name and their principal name.
alternate script to get users with MS Authenticator enabled.
Conclusion
Identifying users with MS Authenticator enabled is an essential part of ensuring the security of your Azure AD environment. By automating this process with PowerShell, you can keep track of your organization’s MFA adoption, improve compliance, and ensure that users have the best security practices in place.
By regularly reviewing and automating this process, you will be able to improve security while keeping your environment streamlined and efficient.