Quickly Assess Azure MFA use in your Organization

By Chris Blackburn

Microsoft recently released a very helpful script that allows Administrators looking to roll out Azure MFA to their organization with a easy-to-read output that can aid in assessing status, or even recommendations to enhance their use of the technology.

https://docs.microsoft.com/en-us/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/

Below is a sample output

mfa02

Here are some common “Recommendations” from the script

  • ‘Register for MFA, preferably with the Microsoft Authenticator mobile app and also with a phone number, used for SMS or Voice.’
  • ‘Consider adding an alternative phone number for additional resilience.’
  • ‘Consider setting the Microsoft Authenticator mobile app as the default method.’
  • ‘Register at least another authentication method, preferably the Microsoft Authenticator mobile app or hardware OATH token. A user can have up to five hardware OATH tokens or mobile apps registered.’
  • ‘Consider adding an alternative phone number for additional resilience.’

Implementation

Download the ZIP file from the Microsoft website.

https://docs.microsoft.com/en-us/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/

Run the following Powershell commands to Authenticate to your tenant and run the commands

Import-Module MSONLINE

Connect-MSOLService

$TenantID = ($skus.AccountObjectID[0]).GUID

.\MfaAuthMethodAnalysis.ps1 –tenantID $TenantID -Location -CsvOutput –Verbose

You’ll may see the following error:

mfa01

If this occurs, you will need the MSONLINE module, and may need to update as I had to do by running the following Powershell command:

Update-Module MSONLINE

mfa03

Once updated, try running the command again and you should see the process fire off and save a file in the directory of the script in the format MfaAuthMethodAnalysis_<date>_<time>.csv

mfa04

This is WAY easier than using the GUI in Azure Active Directory, and allows you to do some sort again the data for taking action, automation, etc.

 

Share your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.

css.php