How to Check if All Azure Users Have MFA Enabled

Updated: May 14, 2025

Multi-Factor Authentication (MFA) is no longer a nice-to-have; it's a fundamental security layer for protecting identities and resources in the cloud. In Microsoft Azure, ensuring all users have MFA enabled is critical for safeguarding against unauthorized access and potential breaches. With identity often being the primary target for attackers, verifying your Azure users MFA enabled status is paramount.

But how do you efficiently perform an Azure MFA check across your entire organization? Manually verifying the Azure MFA status for every user can be tedious, error-prone, and difficult to scale. Failing to identify and remediate gaps leaves your organization vulnerable.

This post explores different methods to find Azure users without MFA enabled in your Azure Active Directory (now Microsoft Entra ID) tenant, ranging from manual checks in the Azure portal and using PowerShell to fully automating the process for continuous MFA compliance Azure using Blink Copilot.

Why is Checking Azure MFA Status Crucial?

Before diving into the "how," let's briefly touch on the "why":

1. Security Posture: Unprotected accounts are easy targets for credential stuffing and phishing attacks. Enforcing MFA significantly reduces the risk of account compromise.
2. Compliance Requirements: Many regulatory frameworks (like PCI DSS, HIPAA) and cyber insurance policies mandate MFA. Regularly checking Azure MFA status helps demonstrate compliance.
3. Risk Mitigation: Identifying users without MFA allows you to proactively address security gaps before they can be exploited.

Method 1: Manual Azure MFA Check via Microsoft Entra Admin Center (Azure Portal)

For a quick visual check or smaller organizations, you can review MFA status directly within the Azure environment:

1. Log in to the Microsoft Entra admin center (formerly Azure portal) as a Global Administrator or a relevant role.
2. Navigate to Protection>Multifactor authentication.
3. Under the "Users" tab, you can view a list of users and their MFA status ("Enforced," "Enabled," or "Disabled").
4. You can filter and search for users, but this method becomes cumbersome for large numbers of users when trying to specifically find Azure users without MFA.

While straightforward for individual checks, this manual process doesn't scale well and relies on point-in-time verification.

Method 2: Manual Azure MFA Check using PowerShell

PowerShell offers a more programmatic way to perform an Azure MFA check and retrieve a list of users and their MFA status. You'll need PowerShell (of course) and the MSOnline module.

Here’s what the script does:

1. It checks that you have MSOnline module available.
2. It connects to the MSOnline service
3. Gets all the users
4. Filters those who don’t have MFA enabled
5. Exports to a csv file

[CmdletBinding()]
param (
    [Parameter(Mandatory=$true)]
    [string]$OutputFilePath
)

# Check if MSOnline module is installed
if (-not (Get-Module -ListAvailable -Name MSOnline)) {
    Write-Warning "MSOnline module is not installed. Please install it using Install-Module -Name MSOnline -Force -AllowClobber"
    exit
}

# Import MSOnline module
Import-Module MSOnline

# Connect to MSOnline service
try {
    Write-Verbose "Connecting to MSOnline service..."
    Connect-MsolService
} catch {
    Write-Error "Failed to connect to MSOnline service: $_"
    exit
}

# Get all users
Write-Verbose "Retrieving all users..."
$users = Get-MsolUser -All

# Filter users without MFA
Write-Verbose "Filtering users without MFA..."
$usersWithoutMFA = $users | Where-Object { -not $_.StrongAuthenticationRequirements }

# Select required properties
$selectedUsers = $usersWithoutMFA | Select-Object DisplayName, UserPrincipalName

# Export to CSV
Write-Verbose "Exporting to CSV file: $OutputFilePath"
$selectedUsers | Export-Csv -Path $OutputFilePath -NoTypeInformation

Write-Verbose "Script completed successfully."

This PowerShell method is more efficient for bulk checks but still requires manual execution, scripting knowledge, and regular updates as APIs change.

The Challenge with Manual Checks

Both the portal and PowerShell methods provide ways to check Azure MFA status, but they share limitations:

• Time-Consuming: Manually running checks takes valuable time.
• Error-Prone: Manual processes increase the risk of mistakes.
• Not Continuous: Checks are only valid at the moment they are performed, missing new users or status changes.
• Requires Expertise: PowerShell requires specific skills and maintenance.

Method 3: Automate Your Azure MFA Check with Blink Copilot

The most efficient and reliable way to manage Azure MFA compliance Azure is through automation. This is where Blink Copilot shines.

What is Blink Copilot?

Blink Copilot is an AI-powered automation platform that allows IT and security teams to build and automate workflows using simple, natural language prompts. It simplifies complex tasks like checking Azure MFA status across your entire tenant.

How Blink Automates Azure MFA Status Checks

With Blink, you can create an automation that:

1. Connects securely to your Microsoft Entra ID (Azure AD) tenant using our native integration.
2. Fetches the list of all users.
3. Checks the MFA status for each user by querying their registered authentication methods via the Microsoft Graph API.
4. Filters to find Azure users without MFA enabled.
5. Takes Action:
   • Generates a report (e.g., CSV, Google Sheet).
   • Sends notifications to administrators or security teams via Slack or Microsoft Teams.
   • Creates tickets for remediation in systems like Jira.
   • Optionally, triggers user-facing notifications or reminders.

Why Automate Azure MFA Checks with Blink?

Automating this crucial task with Blink Copilot provides significant advantages:

• Save Time & Resources: Eliminate hours of manual Azure MFA checks. Focus your team on strategic initiatives.
• Reduce Human Error: Ensure consistent and accurate reporting every time.
• Ensure Continuous Compliance: Schedule the automation to run daily, weekly, or as needed for ongoing MFA compliance Azure.
• Go Beyond Checking: Easily extend the workflow to automate remediation steps or integrate with your SOC/IR tools.
• Leverage Hundreds of Integrations: Connect seamlessly not just with Microsoft Entra ID MFA, but also with tools like Slack, Teams, Jira, ServiceNow, and more from our extensive library.
• Access Thousands of Pre-Built Automations: Utilize Blink's library of over 10,000 pre-built security and IT automations to jumpstart your workflows.
• Natural Language Automation: Describe your desired workflow (e.g., "Find all Azure users without MFA and send a report to the security Slack channel") and let Blink Copilot Azure MFA capabilities build it for you.

Example Workflow: Automated Azure MFA Reporting

Imagine scheduling an automation that runs every morning:

1. Blink queries Microsoft Entra ID for users without registered MFA methods.
2. A report listing these users (DisplayName, UPN, Last Login) is generated.
3. The report is automatically posted to a dedicated #azure-mfa-compliance channel in Slack.

Automate Azure MFA Checks with Blink - Request a demo!

Enforcing Azure MFA

While checking is crucial, the ultimate goal is enforcement. Microsoft Entra ID (Azure AD) uses Conditional Access policies as the primary mechanism to enforce Azure MFA. These policies allow you to require MFA based on user, location, device state, application, and risk signals.

• Learn more about Microsoft Entra Conditional Access.
• Learn more about Microsoft Entra Multi-Factor Authentication.

Blink can complement enforcement policies by continuously verifying compliance and automating responses for exceptions or identified gaps, fitting into broader Identity & Access Management (IAM) strategies. Leading companies like Rapyd and Futureverse leverage Blink for security automation, achieving significant improvements in efficiency and security posture.

Conclusion & Next Steps

Regularly performing an Azure MFA check is essential for maintaining a strong security posture and meeting compliance requirements. While manual methods exist, they lack the scalability, consistency, and efficiency needed for modern environments.

Automating the process to find Azure users without MFA using Blink not only saves significant time and effort but also ensures continuous monitoring and faster remediation. By leveraging natural language prompts, extensive integrations, and a vast library of pre-built actions, Blink empowers teams to effortlessly manage Azure MFA status and enhance overall Azure security.

Ready to secure your Azure environment and automate MFA compliance checks?

Get started with Blink Copilot today! Request a personalized demo.