Why Automating User MFA Reporting in Entra ID is Essential for Your Organization

In today’s rapidly evolving cybersecurity landscape, Multi-Factor Authentication (MFA) plays a pivotal role in securing user access to critical systems and data. While Azure Active Directory (now Entra ID) provides a robust and comprehensive MFA solution, ensuring that users are using the right authentication methods and tracking that data can be time-consuming without proper automation.

In this blog, we’ll explore what it means to identify users with phone-based MFA in Entra ID, why it’s important to automate this process, and how using PowerShell can significantly streamline the task.

---

Understanding Phone-based MFA in Entra ID

Phone-based MFA refers to the method of using a mobile phone or a phone number to authenticate users trying to access applications, services, or systems in Entra ID. This typically involves one of two methods:

• Phone App Notification: The user receives a push notification to their phone and must approve or deny the login attempt.
• Phone App OTP (One-Time Password): The user receives a temporary code (OTP) on their phone, which they must enter to complete the authentication.

While these are robust forms of authentication, not every user within an organization will necessarily have phone-based MFA set up. Additionally, some users may be using alternate authentication methods, such as hardware tokens or biometrics, while others may have not configured any form of MFA at all.

Based on my experience, phone-based MFA can cause issues with cross-tenant synchronization. Specifically, users who have phone-based MFA set up may face challenges in being provisioned to other tenants. The “NotInScope” and “NotEffectivelyEntitled” errors are often encountered during cross-tenant sync, preventing the proper provisioning of these users. This can cause delays and disrupt workflows, highlighting the importance of understanding and monitoring the MFA configurations of users across tenants.

Why Track Active Users with Phone-based MFA?

Ensuring that the right users are utilizing MFA, especially phone-based methods, is a key component of maintaining a secure environment. Here are a few reasons why tracking active users with phone-based MFA is crucial for your organization:

1. Enhanced Security: With the rise of phishing attacks and data breaches, enforcing MFA provides an additional layer of security, ensuring that even if a user’s password is compromised, unauthorized access is still blocked. Phone-based MFA is one of the most secure forms of two-factor authentication.
2. Compliance: Many organizations are bound by regulatory requirements, such as GDPR or HIPAA, that mandate MFA for accessing sensitive data. By ensuring that active users have MFA set up, especially phone-based methods, you can stay compliant with industry standards.
3. User Experience: Simplified user access can lead to fewer friction points in daily workflows. With phone-based MFA, users can easily authenticate themselves without needing complicated hardware setups. Tracking and reporting on these users ensures that your organization stays on top of who’s set up and using MFA.
4. Auditing and Reporting: Having visibility into the MFA status of your users is important for security auditing. Automated reporting ensures you’re not missing any critical configurations, and it can highlight any gaps that need addressing.
5. Efficiency: Manual checks for MFA statuses and configurations can be tedious, especially for larger organizations with hundreds or thousands of users. By automating this process, you free up time for other essential tasks.

---

Automating the MFA Reporting Process in Entra ID

Manual auditing of MFA configurations can be error-prone, especially when done across large environments with multiple users. Automating the process not only improves accuracy but also ensures that the task is completed consistently.

PowerShell provides a simple yet powerful solution for automating the reporting of active users who have phone-based MFA enabled in Entra ID. Here is how you can automate this process using PowerShell:

Using the AzureAD Module:

powershellCopy# Connect to Azure AD
Connect-AzureAD

# Get the list of active users with phone-based MFA enabled
$usersWithPhoneMFA = Get-AzureADUser -All $true | 
    Where-Object {
        $_.AccountEnabled -eq $true -and
        (Get-AzureADUserMFA -ObjectId $_.ObjectId).Methods |
        Where-Object { $_.MethodType -eq "PhoneAppNotification" -or $_.MethodType -eq "PhoneAppOTP" }
    }

# Display the users
$usersWithPhoneMFA | Select DisplayName, UserPrincipalName

Using the MSOnline Module:

powershellCopy# Connect to MSOnline Connect-MsolService # Get the list of active users with phone-based MFA enabled $usersWithPhoneMFA = Get-MsolUser -All | Where-Object { $_.BlockCredential -eq $false -and ( $_.StrongAuthenticationMethods.MethodType -eq "PhoneAppNotification" -or $_.StrongAuthenticationMethods.MethodType -eq "PhoneAppOTP" ) } # Display the users $usersWithPhoneMFA | Select DisplayName, UserPrincipalName

---

Why Automate This Process?

Automating the reporting of active users with phone-based MFA brings a multitude of benefits:

• Time-Saving: Automation allows you to quickly run reports and receive accurate information, which can otherwise take hours when done manually.
• Real-Time Visibility: With automation, you get updated data at any time, helping you respond to potential security risks in real-time.
• Scalability: Whether you have 10 or 10,000 users, automation ensures that the process scales to match your organization’s size without increasing the workload.
• Accuracy: The automation removes the risk of human error, ensuring that the right users are being reported and that configurations are accurate.

---

Conclusion

Tracking active users with phone-based MFA is essential to maintaining security and compliance within your organization. By automating this process with PowerShell, you can save valuable time, improve reporting accuracy, and make better, data-driven decisions regarding your organization’s security posture.

Automating these tasks also prepares your organization to scale efficiently and ensures that all users are adhering to the security standards you’ve set.

If you haven’t yet automated your MFA reporting process, consider implementing a PowerShell solution and integrate it into your IT operations today. It’s a small investment that will yield significant improvements in both security and efficiency.