M365Corner
M365 PowerShell

Identify Admins With MFA Enabled Using Microsoft Graph PowerShell

Monitoring which Microsoft 365 administrators have completed MFA registration is one of the most important identity-security practices. This script retrieves all admin accounts in the tenant, checks which of them have at least one registered MFA authentication method, prepares a clean report, and emails it to the administrator.

πŸš€ Community Edition Released!

Try the M365Corner Microsoft 365 Reporting Tool β€” your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.


1. The Script

Connect-MgGraph -Scopes "Directory.Read.All","AuditLog.Read.All","UserAuthenticationMethod.Read.All","User.Read.All"
$roles = (Invoke-MgGraphRequest -Method GET -Uri "v1.0/directoryRoles").value
$MfaEnabledAdminsMap = @{}

foreach ($role in $roles) {
    $roleId = $role.id
    $roleName = $role.displayName

    try {
        $membersResponse = Invoke-MgGraphRequest -Method GET -Uri "v1.0/directoryRoles/$roleId/members"
        $members = $membersResponse.value
    }
    catch {
        continue
    }

    foreach ($member in $members) {
        if (-not $member.userPrincipalName) { continue }

        $userId = $member.id
        $upn = $member.userPrincipalName

        try {
            $auth = Get-MgUserAuthenticationMethod -UserId $userId
        }
        catch {
            continue
        }

        if ($auth.Count -gt 0) {
            if (-not $MfaEnabledAdminsMap.ContainsKey($upn)) {
                $MfaEnabledAdminsMap[$upn] = @{
                    DisplayName      = $member.displayName
                    UserPrincipalName= $upn
                    Roles            = @($roleName)
                    AuthMethods      = ($auth.AdditionalProperties.'@odata.type' -join ", ")
                }
            }
            else {
                $MfaEnabledAdminsMap[$upn].Roles += $roleName
            }
        }
    }
}

$MfaEnabledAdmins = $MfaEnabledAdminsMap.Values | ForEach-Object {
    [PSCustomObject]@{
        "Admin Name"          = $_.DisplayName
        "User Principal Name" = $_.UserPrincipalName
        "Admin Roles"         = ($_.Roles -join ", ")
        "MFA Methods"         = $_.AuthMethods
    }
}

$OutputPath = "C:\Reports\MFAEnabledAdmins.csv"
$MfaEnabledAdmins | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8

$From = "no-reply@yourtenant.com"
$To = "admin@yourtenant.com"
$Subject = "Report – Admin Accounts With MFA Enabled"
$Body = "Attached is the latest report of admin users who have MFA enabled."

Send-MailMessage -From $From -To $To -Subject $Subject -Body $Body -Attachments $OutputPath -SmtpServer "smtp.office365.com" -UseSsl -Port 587 -Credential (Get-Credential)

2. How the Script Works

  1. Step 1 β€” Connect to Microsoft Graph

    2. The script connects with the required scopes to read directory roles and authentication methods.

  2. Step 2 β€” Retrieve all activated directory roles

    3. Only active roles (Global Admin, Security Admin, Helpdesk Admin, etc.) are fetched using:

    GET v1.0/directoryRoles

  3. Step 3 β€” Identify user members for each role

    4. The script queries each role’s /members endpoint and filters out only user objects.

  4. Step 4 β€” Check MFA registration for each admin

    5. The script determines whether MFA is enabled based on:

    • Phone authentication methods
    • Authenticator app
    • FIDO2 keys
    • Temporary Access Pass
    • Any authentication method listed under the user's authenticationMethods collection

    If the user has at least one registered method, they are considered MFA-enabled.

  5. Step 5 β€” Generate a structured report

    6. For each MFA-enabled admin, the script logs:

    • Name
    • UPN
    • Assigned roles
    • MFA method types
  6. Step 6 β€” Email the CSV report to the administrator

    7. The completed report is exported and sent via SMTP.


3. Further Enhancements

You can extend this script to:

  • Include MFA details like:

    • Fetch owners and add a column:

    • Phone number
    • Authenticator device details
    • FIDO2 key model
  • Add a "Last Password Change" timestamp

    • Useful for detecting stale accounts.

  • Flag privileged roles separately

    • For example:

    • Global Administrator
    • Privileged Role Administrator
    • Security Administrator
  • Send the report automatically via scheduled task

    • Allowing daily or weekly automated delivery.


4. Possible Errors & Solutions

Error Cause Solution
accessDenied when calling authentication methods Missing API permissions. Ensure all of these delegated permissions are granted:
  • Directory.Read.All
  • User.Read.All
  • AuditLog.Read.All
  • UserAuthenticationMethod.Read.All
Then re-run:
Connect-MgGraph -Scopes "Directory.Read.All","AuditLog.Read.All","UserAuthenticationMethod.Read.All","User.Read.All"
Blank CSV file No admins have registered MFA methods. Ensure users have completed the MFA setup, not just been assigned a policy.
SMTP authentication failures Modern authentication required. Use an app password or certificate-based SMTP auth if basic auth is blocked.


5. Conclusion

This script gives administrators complete visibility into which privileged accounts have fully registered MFA methods β€” a critical element for maintaining a secure Microsoft 365 environment. By automating this report and emailing it regularly, IT teams can ensure ongoing compliance, minimize identity risk, and quickly detect any gaps in MFA enrollment among admin users.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex