starred/CIPP

Fork 0

mirror of https://github.com/KelvinTegelaar/CIPP.git synced 2026-04-26 00:36:27 +03:00

[GH-ISSUE #1217] [Feature Request]: Retrieve MFA Authentication Phone Number, islicensed in MFA Report #678

New issue

Closed

opened 2026-03-02 12:44:17 +03:00 by kerem · 2 comments

kerem commented

2026-03-02 12:44:17 +03:00

Owner

Originally created by @ZNL-BKA on GitHub (Nov 14, 2022).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1217

Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole.

using get-msoluser -StrongAuthenticationUserDetails.PhoneNumber and -islicensed command normally used in powershell scripts.

with over 200 tenants, it would be really beneficial to be able to quickly export this info to csv for further manipulation.
and at a glance review most user MFA details

I hope that this would benefit other MSPs from having to connect to each tenant and run a script for each to retrieve these. making the process a little faster when repoting

PowerShell commands you would normally use to achieve above request

Write-Host "Finding Azure Active Directory Accounts..."
$Users = Get-MsolUser -All | Where-Object { $_.UserType -ne "Guest" }
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
Write-Host "Processing" $Users.Count "accounts..."
ForEach ($User in $Users) {

$MFADefaultMethod = ($User.StrongAuthenticationMethods | Where-Object { $_.IsDefault -eq "True" }).MethodType
$MFAPhoneNumber = $User.StrongAuthenticationUserDetails.PhoneNumber
$isLicensed = $User.isLicensed
$PrimarySMTP = $User.ProxyAddresses | Where-Object { $_ -clike "SMTP*" } | ForEach-Object { $_ -replace "SMTP:", "" }
$Aliases = $User.ProxyAddresses | Where-Object { $_ -clike "smtp*" } | ForEach-Object { $_ -replace "smtp:", "" }

If ($User.StrongAuthenticationRequirements) {
    $MFAState = $User.StrongAuthenticationRequirements.State
}
Else {
    $MFAState = 'Disabled'
}

If ($MFADefaultMethod) {
    Switch ($MFADefaultMethod) {
        "OneWaySMS" { $MFADefaultMethod = "Text code authentication phone" }
        "TwoWayVoiceMobile" { $MFADefaultMethod = "Call authentication phone" }
        "TwoWayVoiceOffice" { $MFADefaultMethod = "Call office phone" }
        "PhoneAppOTP" { $MFADefaultMethod = "Authenticator app or hardware token" }
        "PhoneAppNotification" { $MFADefaultMethod = "Microsoft authenticator app" }
    }
}
Else {
    $MFADefaultMethod = "Not enabled"
}

$ReportLine = [PSCustomObject] @{
    UserPrincipalName = $User.UserPrincipalName
    DisplayName       = $User.DisplayName
    IsLicensed        = $IsLicensed
    MFAState          = $MFAState
    MFADefaultMethod  = $MFADefaultMethod
    MFAPhoneNumber    = $MFAPhoneNumber
    PrimarySMTP       = ($PrimarySMTP -join ',')
    Aliases           = ($Aliases -join ',')
}
             
$Report.Add($ReportLine)

}

Write-Host "Report is in c:\temp\MFAUsers.csv"
$Report | Select-Object UserPrincipalName, DisplayName, IsLicensed, MFAState, MFADefaultMethod, MFAPhoneNumber, PrimarySMTP, Aliases | Sort-Object UserPrincipalName | Out-GridView
$Report | Sort-Object UserPrincipalName | Export-CSV -Encoding UTF8 -NoTypeInformation c:\temp\MFAUsers.csv

Originally created by @ZNL-BKA on GitHub (Nov 14, 2022). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1217 ### Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole. using get-msoluser -StrongAuthenticationUserDetails.PhoneNumber and -islicensed command normally used in powershell scripts. with over 200 tenants, it would be really beneficial to be able to quickly export this info to csv for further manipulation. and at a glance review most user MFA details I hope that this would benefit other MSPs from having to connect to each tenant and run a script for each to retrieve these. making the process a little faster when repoting ### PowerShell commands you would normally use to achieve above request Write-Host "Finding Azure Active Directory Accounts..." $Users = Get-MsolUser -All | Where-Object { $_.UserType -ne "Guest" } $Report = [System.Collections.Generic.List[Object]]::new() # Create output file Write-Host "Processing" $Users.Count "accounts..." ForEach ($User in $Users) { $MFADefaultMethod = ($User.StrongAuthenticationMethods | Where-Object { $_.IsDefault -eq "True" }).MethodType $MFAPhoneNumber = $User.StrongAuthenticationUserDetails.PhoneNumber $isLicensed = $User.isLicensed $PrimarySMTP = $User.ProxyAddresses | Where-Object { $_ -clike "SMTP*" } | ForEach-Object { $_ -replace "SMTP:", "" } $Aliases = $User.ProxyAddresses | Where-Object { $_ -clike "smtp*" } | ForEach-Object { $_ -replace "smtp:", "" } If ($User.StrongAuthenticationRequirements) { $MFAState = $User.StrongAuthenticationRequirements.State } Else { $MFAState = 'Disabled' } If ($MFADefaultMethod) { Switch ($MFADefaultMethod) { "OneWaySMS" { $MFADefaultMethod = "Text code authentication phone" } "TwoWayVoiceMobile" { $MFADefaultMethod = "Call authentication phone" } "TwoWayVoiceOffice" { $MFADefaultMethod = "Call office phone" } "PhoneAppOTP" { $MFADefaultMethod = "Authenticator app or hardware token" } "PhoneAppNotification" { $MFADefaultMethod = "Microsoft authenticator app" } } } Else { $MFADefaultMethod = "Not enabled" } $ReportLine = [PSCustomObject] @{ UserPrincipalName = $User.UserPrincipalName DisplayName = $User.DisplayName IsLicensed = $IsLicensed MFAState = $MFAState MFADefaultMethod = $MFADefaultMethod MFAPhoneNumber = $MFAPhoneNumber PrimarySMTP = ($PrimarySMTP -join ',') Aliases = ($Aliases -join ',') } $Report.Add($ReportLine) } Write-Host "Report is in c:\temp\MFAUsers.csv" $Report | Select-Object UserPrincipalName, DisplayName, IsLicensed, MFAState, MFADefaultMethod, MFAPhoneNumber, PrimarySMTP, Aliases | Sort-Object UserPrincipalName | Out-GridView $Report | Sort-Object UserPrincipalName | Export-CSV -Encoding UTF8 -NoTypeInformation c:\temp\MFAUsers.csv

kerem

2026-03-02 12:44:17 +03:00

closed this issue
added the
enhancement

no-priority
labels

kerem commented

2026-03-02 12:44:18 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Nov 14, 2022):

Thank you for creating a feature request!
Your current priority is set to "No Priority". No Priority Feature requests automatically get closed in two days if a contributor does not accept the FR.

If you are a sponsor you can request an upgrade of priority. To upgrade the priority type "I would like to upgrade the priority".
If you want this feature to be integrated you can always do this yourself by checking out our contributions guide at https://cipp.app/docs/dev/. Contributors to the CIPP project reserve the right to close feature requests at will.
If you'd like this feature request to be assigned to you, please comment "I would like to work on this please!".

@github-actions[bot] commented on GitHub (Nov 14, 2022): Thank you for creating a feature request! Your current priority is set to "No Priority". No Priority Feature requests automatically get closed in two days if a contributor does not accept the FR. If you are a sponsor you can request an upgrade of priority. To upgrade the priority type "I would like to upgrade the priority". If you want this feature to be integrated you can always do this yourself by checking out our contributions guide at https://cipp.app/docs/dev/. Contributors to the CIPP project reserve the right to close feature requests at will. If you'd like this feature request to be assigned to you, please comment "I would like to work on this please!".

kerem commented

2026-03-02 12:44:18 +03:00

Author

Owner

@KelvinTegelaar commented on GitHub (Nov 16, 2022):

We're not adding phone numbers as Phone based challenges are insecure, and this would only benefit the propagation of this. We've added the Licensed user field.

@KelvinTegelaar commented on GitHub (Nov 16, 2022): We're not adding phone numbers as Phone based challenges are insecure, and this would only benefit the propagation of this. We've added the Licensed user field.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#678

No description provided.

Rows
Columns