Related features:

Related Powershell Guides:

How to view the MFA status report in Microsoft Entra ID

In this page

Authentication methods play a critical role in protecting user accounts and meeting compliance needs. For IT admins, tracking who has registered MFA, which methods they use, and whether they meet policy requirements can be overwhelming, especially across a large directory. But, there are practical ways to make this easier.

  • M365 admin center
  • PowerShell
  • ADManager Plus
 

Get MFA status report in Microsoft Entra ID using Microsoft Entra admin center

  • Sign-in to the Microsoft Entra admin center.
  • Go to Authentication methods under Entra ID.
  • Click Monitoring -> User registration details.
A comprehensive report showing how to get MFA status in the Entra admin center' predefined reports

Get MFA status report using Windows PowerShell

Connect to the Azure AD PowerShell.

Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"
  • Follow the below cmdlets to get MFA registration details.
    Get-MgUserAuthenticationMethod -UserId <userUPN or ObjectId>
  • You can also filter by specific authentication methods, for example, only phone methods:
    Get-MgUserAuthenticationMethod -UserId <userUPN> | Where-Object {$_.OdataType -eq "#microsoft.graph.phoneAuthenticationMethod"}

Example use case to get MFA status of John

Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"
Get-MgUserAuthenticationMethod -UserId John@contoso.com

# Filter only for phone-based authentication methods

Get-MgUserAuthenticationMethod -UserId John@contoso.com |
Where-Object {$_.OdataType -eq "#microsoft.graph.phoneAuthenticationMethod"}

Example output

Id : 3a1a5e12-64d4-4a11-91e4-4a6f54b35ef9
OdataType : #microsoft.graph.phoneAuthenticationMethod
PhoneType : mobile
PhoneNumber : +91 9876543210
SmsSignInState : enabled

Get MFA status report using graph PowerShell

Here's the syntax:

Get-MgUserAuthenticationMethod
-UserId <String>
[-ExpandProperty <String[]>]
[-Property <String[]>]
[-Filter <String>]
[-Search <String>]
[-Skip <Int32>]
[-Sort <String[]>]
[-Top <Int32>]
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-PageSize <Int32>]
[-All]
[-CountVariable <String>]
[<CommonParameters>]

Example use case to get Microsoft Authenticator app method of Jane

Example query

Get-MgUserAuthenticationMethod -UserId Jane@contoso.com |
Where-Object {$_.OdataType -eq "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"}
[<CommonParameters>]

Example output

Id : 91a43c8e-dcf3-47a1-9a6a-9983d93f5f77
OdataType : #microsoft.graph.microsoftAuthenticatorAuthenticationMethod
DisplayName : Microsoft Authenticator
DeviceTag : Pixel 7
DeviceId : 8f6b42c1-5abf-4931-8a21-57b8e5b3a7e1

This output shows that Jane has Microsoft Authenticator registered as her authentication method, with the OdataType showing it's the Authenticator app.

She has Microsoft Authenticator set up as their authentication method and it's tied to a Pixel 7 device, with the DeviceTag pointing to that phone model. The method is tracked in Entra ID with a unique DeviceId, and the ID confirms the specific record for this authentication method. DisplayName makes it clear the app in use is Authenticator.

Get MFA status report using ADManager Plus

  1. Sign in to ADManager Plus.
  2. Navigate to Microsoft 365 → Reports.
  3. Under User Reports, select MFA Registration Details in the Password Status section.
  4. Choose your tenant and click Generate Report.
  5. Use filters (domain, groups, etc.) to narrow down results as needed.
A comprehensive report showing MFA status in ADManager Plus
Get started

Highlights of using ADManager Plus to view the MFA status

ADManager Plus' Microsoft 365 management and reporting offers a complete solution for Microsoft 365 admins, with a simple, user-friendly interface that allows you to easily get MFA status and other user reports instantly.

Bulk MFA management

Update MFA settings for multiple users at once to save time and ensure consistency.

Detailed security reports

Track not just MFA registrations, but also password changes, expirations, and MFA status across your tenant.

Custom dashboards

Build custom dashboards for at-a-glance visibility into MFA adoption and password health and get updates in a scheduled frequency.

Automation & workflows

Automate MFA tasks and create approval-based workflows to streamline secure processes.

Delegated administration

Assign MFA tasks to technicians with controlled permissions and oversight.

Risk insights

Track the potential attack flow on privileged accounts to reduce exposure.

Important tips

  • Schedule MFA reports

    Set up regular reports to track MFA adoption and spot gaps and modify quickly.

  • Disable outdated or unused methods

    If users have multiple methods but they rely on just one, remove the unused ones and eliminate weaker options to reduce risk.

  • Enforce registration on sign-in

    Prompt unregistered users to complete MFA setup at their next login.

  • Customize MFA settings by account sensitivity

    Apply stricter MFA for admins and privileged accounts while keeping it user-friendly for standard accounts.

Track MFA registration in minutes with ADManager Plus

Try it now for free

FAQs

  • Reports often don't show historical trends, only snapshots.
  • Limited customization for filters (e.g., OU-based views).
  • Manual PowerShell scripts are needed for deeper insights.ADManager Plus helps, by giving ready dashboards, custom scheduling, and drill-down views without scripting.

Yes. You can run Get-MgUserAuthenticationMethod or older Get-MsolUser commands to see who has MFA and what methods are registered. The downside is it requires scripting skills, and reports need manual formatting unless you plug them into something else.

Removing an MFA method may disrupt user access if that method was their sole MFA option. It's best practice to verify users have alternate methods registered before removal.

Use the “Security Info Registration” Conditional Access policy. Instead of excluding users from your location-based policies, configure the “Authentication methods registration policy” in Entra ID. This allows users to register MFA methods (like the Authenticator app) from untrusted locations without granting them broader access to other resources. That way, they can set up MFA at home but still respect your conditional access restrictions for app access.

You can check this in multiple ways:

Entra admin center:

  • Go to Entra admin centerAuthentication methodsMonitoringUser registration details.
  • Under Methods Registered column, you can find which MFA methods each user has set up.

Graph PowerShell:

Get-MgUserAuthenticationMethod -UserId user@domain.com

ADManager Plus

  • Sign in to ADManager Plus.
  • Navigate to Microsoft 365 → Reports.
  • Under User Reports, select MFA Registration Details in the Password Status section.
  • Choose your tenant and click Generate Report.
  • Check the Methods Registered column to see which MFA methods each user has set up.

Entra admin center (ADMP):

  • Go to Entra admin centerAuthentication methodsMonitoringUser registration details.
  • You'll see a report of which users have MFA enabled and their methods.

Graph PowerShell:

  • Get-MgUserAuthenticationMethod -UserId <UserUPN> | Select-Object Id, OdataType
  • To check for all users, loop through Get-MgUser.

ADManager Plus

  • Sign in to ADManager Plus.
  • Navigate to Microsoft 365 → Reports.
  • Under User Reports, select MFA Enabled Users in the Password Status section.
  • Choose your tenant and click Generate Report.
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link Email the ADManager Plus download link