SecureOps Playbooks logoSecureOps Playbooks

Identity / Read-only

Audit MFA Registration in Microsoft 365

Review which users have authentication methods registered before assuming MFA coverage is handled.

Risk: MediumExample playbookRead-onlyValidation pending

Practical intro

An MFA policy and MFA registration are related, but they are not the same thing. I like to look at registration separately so I know which users appear prepared to satisfy stronger sign-in requirements before policy work begins.

Why I check this

In real tenant reviews, it is common to find identity settings that made sense at one point but were never revisited. MFA may be part of the tenant design, but registration coverage can still be uneven. This check gives the admin a reviewable list instead of relying on memory or assumptions.

What this check tells you

The example reads users and their registered authentication methods through Microsoft Graph PowerShell. This is a registration inventory: it checks which authentication method objects are visible for each user. It can help identify enabled accounts that have no visible authentication methods, accounts with only a single registered method, or accounts that need a closer registration review.

What this helps you decide

This helps you decide where to look before you touch policy. If a group of active users has no registered methods, they may need communication, registration support, or a separate account review before stronger sign-in requirements are rolled out. If users have methods registered, you still need to confirm whether those methods line up with the policies and sign-in experience you expect.

What this does not prove

This check does not prove that MFA is enforced, required, successful, or correctly configured. It does not prove the user has completed MFA successfully. It does not replace Conditional Access review, authentication strength review, registration campaign review, sign-in log review, or per-user MFA review.

Not every authentication method means the user is MFA-ready. Some methods may be usable only for password reset, some may not satisfy the policy that applies to the user, and some users may still be excluded from the policy path you care about.

When I would run this

Permissions and modules

Review and approve the scopes before running the example. The Microsoft Learn documentation for Get-MgUserAuthenticationMethod lists UserAuthenticationMethod.Read.All as a delegated read permission for this resource. Get-MgUser commonly requires an approved user read scope such as User.Read.All for this style of tenant inventory.

Read-only PowerShell example

This example reads users and authentication methods, then exports a CSV. Review it in a test or lab environment before adding it to a production change process.

# SecureOps Playbooks | secureopsplaybooks.com
# Read-only example: MFA registration review. Validate in a lab first.

Connect-MgGraph -Scopes "User.Read.All","UserAuthenticationMethod.Read.All"

$users = Get-MgUser -All -Property "id,displayName,userPrincipalName,accountEnabled"
$rows = foreach ($user in $users) {
  $methods = Get-MgUserAuthenticationMethod -UserId $user.Id
  $methodTypes = @($methods | ForEach-Object { $_.AdditionalProperties["@odata.type"] })
  $reviewNote = if ($methodTypes.Count -eq 0) {
    "No registered authentication methods returned by this Graph check; review account type, policy scope, and sign-in context."
  } else {
    "Registered methods found; this does not prove MFA enforcement, successful MFA use, or policy coverage."
  }

  [pscustomobject]@{
    DisplayName = $user.DisplayName
    UserPrincipalName = $user.UserPrincipalName
    AccountEnabled = $user.AccountEnabled
    RegisteredMethodCount = $methodTypes.Count
    RegisteredMethodTypes = ($methodTypes -join ";")
    ReviewNote = $reviewNote
  }
}

$rows |
  Sort-Object UserPrincipalName |
  Export-Csv ".\mfa-registration-review.csv" -NoTypeInformation

Expected output columns

How to read the results

Start with enabled accounts that have no listed methods or unexpectedly low registered method counts. Finding a low count does not automatically mean the account is insecure or misconfigured. Finding registered methods does not automatically mean the account is protected by MFA. Both results mean the account should be reviewed in context.

Common findings

False positives or normal explanations

Some accounts may be disabled, cloud-only test accounts, break-glass accounts, or accounts covered by a separate administrative process. The export should start a review, not end it.

What to verify before action

Troubleshooting

Limitations

Authentication method data is only one view of identity readiness. This starter check does not replace Conditional Access review, authentication strength review, registration campaign review, sign-in log review, per-user MFA review, break-glass account review, or a documented rollout plan.

Sources and documentation to review

Validation status

This is an example read-only playbook. Review the Microsoft documentation, permissions, and output in a test or lab environment before using it as part of a production change process.

Related playbooks

Use this in the Quick-Check Pack

The M365 Admin Quick-Check Pack is meant to put checks like this into a repeatable review order before tenant changes.

Get the Quick-Check Pack