How to Check if All Azure Users Have MFA Enabled

Multi-factor authentication (MFA) is a prominent security tool for organizations to confirm that only authorized users can access their Azure accounts.

If any Azure user doesn’t have MFA enabled, their account is more vulnerable and could pose a larger security risk to your organization. You can protect your organization by checking to see if any users do not have MFA enabled and instructing them to update their settings.

In this guide, we’ll show you how to find all Azure users without MFA enabled and notify them to update their security settings.

Checking If Any Azure Users Do Not Have MFA Enabled

If you want to do this manually, you can check the MFA status of your users with the Azure Console or the Azure CLI.

If you want to save time by automating this task, scroll down to see how you can do it with Blink.

Using the Azure Console Method:

You can use the Azure console to manually check whether a user has MFA enabled. This process involves going through each user’s account settings in the Azure portal and checking that MFA is enabled for each user.

Here are the console steps to see which Azure users do not have MFA enabled:

1. Log in to the Azure portal as a Global administrator.
2. From the portal, navigate to the Azure Active Directory blade.
3. Select the Users option from the left menu and then select All users to view all the users in your Azure environment.
4. Click on a user’s name and then select Manage User to check if a user has MFA enabled. Under Security info, you can view all the multi-factor authentication methods enabled for a user.
5. If none of the multi-factor authentication methods are enabled, then the user does not have MFA enabled.
6. Repeat this process for all users in your Azure environment.

Using the Azure CLI Method:

In comparison to the Azure console method, using the Azure CLI is a much faster and more effective way of ensuring all Azure users have MFA enabled.

This method will require the following:

• A computer with the Azure CLI installed
• An active Azure subscription with administrative access to the users in question
• Access to the Azure CLI terminal

Here are the steps to find all Azure users without MFA enabled using the Azure CLI:

1. Log in to your Azure account as a Global administrator. You can open the Azure CLI by installing it or running it on your browser by typing “az” in the search bar.

2. From the Azure CLI, run the following user list command:

az ad user list --query '[].{Name:displayName, 
UserPrincipalName:userPrincipalName}' 
--out table

This will generate a list of all users in your Azure environment, including those without MFA enabled.

3. Next, run the following script to filter out users with MFA enabled: 

az ad user list --query '[? !hasOwnProperty('strongAuthenticationMethods')].
{Name:displayName, UserPrincipalName:userPrincipalName}' 
--out table

This will generate a list of all users without MFA enabled. You can then notify these users that they need to enable MFA for their accounts.

Automate MFA Compliance Checks with Blink

While the above methods will let you find out whether Azure users have MFA enabled, they may be tedious and time-consuming, especially for larger organizations with hundreds of users.

Even when you have a list of all non-compliant users, you still have to manually notify them and follow-up to validate that they have enabled MFA for their accounts.

With Blink, you can run a simple automation to easily identify all Azure users without MFA enabled and notify them to update their settings.

When you run this automation from the Blink library, it executes the following steps:

1. Finds all users in Azure Active Directory who do not have MFA enabled.
2. Sends a report of all Azure users with insufficient security settings to a designated administrator.
3. Sends a notification to all non-compliant Azure users instructing them how to update their settings to enable MFA.

This is a simple automation, which makes it easy to customize for your organization’s needs. For example, you can schedule this check to run regularly or add actions to notify end users via Slack instead of email.

This automation and 5K more are available to use right away from the Blink library, or you can build custom automations to match your unique use cases.

Get started with Blink today to see how easy automation can be.