If you’ve deployed multifactor authentication (MFA) at an enterprise scale, you’ll know it can be fraught with challenges. You may need to deploy to individual departments, or perhaps take a phased approach and deploy in traches. However you end up deciding to do your MFA rollout, you will likely need to specify a target group, and you’ll want to retrieve registration percentage information for this group.
I found this to be quite a lot easier with the old Azure PowerShell modules than the new Microsoft Graph one. But, then I had to use two modules to do so. And, I am expecting that those will become deprecated sooner than later. Graph is Microsoft’s clear path forward, so I have opted to use it instead.
Here is the PowerShell script I put together that uses Microsoft’s Graph Beta Endpoint features to build a hashtable of userPrincipalNames and a corresponding boolean value for whether they had the “microsoftAuthenticator” authentication method specified. From this, I then derive the MFA registration percentage. I have intentionally written this so that the output it is very flexible, and, being a hashtable, performance-minded. For instance, it would be very fast and easy to call upon the hashtable to send an email to all users within your target group that have not yet registered for MFA. I am not thrilled with the query performance; because of the repeated calls to the Graph API, it is slower than I would like. It seems Microsoft must have some fairly restrictive rate limits in place. There is the possibility of chunking users and doing fewer API calls, but I did not work that out.
Here is the link to the script on my GitHub:
https://github.com/p8nflnt/Cloud-Toolbox/blob/main/azure/Get-AzGroupAuthMethodsHT.ps1
And here is the script:
<#
.SYNOPSIS
Use the Microsoft Graph beta endpoint to generate a hashtable of
userPrincipalNames within a group and a corresponding boolean value for
whether they have the "microsoftAuthenticator" auth method specified.
.NOTES
Name: Get-AzGroupAuthMethodHT
Author: Payton Flint
Version: 1.0
DateCreated: 2024-Nov
.LINK
https://github.com/p8nflnt/Cloud-Toolbox/blob/main/azure/Get-AzGroupAuthMethodsHT.ps1
Azure – Get Group MFA Registration Info
#>
function Get-AzGroupAuthMethodsHT {
param (
[string]$GroupName
)
# connect to microsoft graph with required scopes
Connect-MgGraph -Scopes "Group.Read.All", "User.Read.All" -ErrorAction Stop
# get group ID by name
$group = Get-MgGroup -Filter "displayName eq '$GroupName'"
if (-not $group) {
Write-Output "Group '$GroupName' not found."
return $null
}
# get all group members
$groupMembers = Get-MgGroupMember -GroupId $Group.Id -All
# initialization for loop
$userDetails = @{}
$i = 0
foreach ($user in $groupMembers) {
# define uri for the beta endpoint
$uri = "https://graph.microsoft.com/beta/users/$($user.Id)/authentication/methods"
# increment count
$i++
try {
# get user auth methods via beta endpoint
$authUser = Invoke-MgGraphRequest -Uri $uri -Method GET
# print status to console
Write-Host "$i of $($groupMembers.count) - Retrieved authentication methods - $($user.AdditionalProperties['userPrincipalName'])"
# detect if "microsoftAuthenticator" is in the authentication methods
$authMethod = $authUser.Values.Values -contains "microsoftAuthenticator"
# add upn as key & bool authMethod to hashtable
$userDetails[$user.AdditionalProperties["userPrincipalName"]] = $authMethod
} catch {
Write-Host "Failed to retrieve authentication methods for user $($user.Id)"
}
}
# return hashtable
return $userDetails
}
# specify group name and invoke function
$groupName = "<GROUP NAME>"
$groupAuthHT = Get-AzGroupAuthMethodsHT -GroupName $groupName
# calculate percentage from hashtable
if ($groupAuthHT) {
$mfaUsersCount = ($groupAuthHT.Values | Where-Object { $_ -eq $True }).Count
$percentage = "{0:N2}" -f (($mfaUsersCount / $groupAuthHT.Keys.Count) * 100) + '%'
Write-Host "$mfaUsersCount out of $($groupAuthHT.Keys.Count), or $percentage of users in $groupName have an authentication method specified."
}