Practical intro
An MFA policy and MFA registration are related, but they are not the same thing. I like to look at registration separately so I know which users appear prepared to satisfy stronger sign-in requirements before policy work begins.
Why I check this
In real tenant reviews, it is common to find identity settings that made sense at one point but were never revisited. MFA may be part of the tenant design, but registration coverage can still be uneven. This check gives the admin a reviewable list instead of relying on memory or assumptions.
What this check tells you
The example reads users and their registered authentication methods through Microsoft Graph PowerShell. This is a registration inventory: it checks which authentication method objects are visible for each user. It can help identify enabled accounts that have no visible authentication methods, accounts with only a single registered method, or accounts that need a closer registration review.
What this helps you decide
This helps you decide where to look before you touch policy. If a group of active users has no registered methods, they may need communication, registration support, or a separate account review before stronger sign-in requirements are rolled out. If users have methods registered, you still need to confirm whether those methods line up with the policies and sign-in experience you expect.
What this does not prove
This check does not prove that MFA is enforced, required, successful, or correctly configured. It does not prove the user has completed MFA successfully. It does not replace Conditional Access review, authentication strength review, registration campaign review, sign-in log review, or per-user MFA review.
Not every authentication method means the user is MFA-ready. Some methods may be usable only for password reset, some may not satisfy the policy that applies to the user, and some users may still be excluded from the policy path you care about.
When I would run this
- Before changing Conditional Access or authentication method policies.
- Before a security review, tenant cleanup, or admin handoff.
- When inherited settings make it unclear who is ready for stronger sign-in requirements.
Permissions and modules
Review and approve the scopes before running the example. The Microsoft Learn documentation for Get-MgUserAuthenticationMethod lists UserAuthenticationMethod.Read.All as a delegated read permission for this resource. Get-MgUser commonly requires an approved user read scope such as User.Read.All for this style of tenant inventory.
- Microsoft.Graph.Authentication
- Microsoft.Graph.Identity.SignIns
- Microsoft.Graph.Users
Read-only PowerShell example
This example reads users and authentication methods, then exports a CSV. Review it in a test or lab environment before adding it to a production change process.
# SecureOps Playbooks | secureopsplaybooks.com
# Read-only example: MFA registration review. Validate in a lab first.
Connect-MgGraph -Scopes "User.Read.All","UserAuthenticationMethod.Read.All"
$users = Get-MgUser -All -Property "id,displayName,userPrincipalName,accountEnabled"
$rows = foreach ($user in $users) {
$methods = Get-MgUserAuthenticationMethod -UserId $user.Id
$methodTypes = @($methods | ForEach-Object { $_.AdditionalProperties["@odata.type"] })
$reviewNote = if ($methodTypes.Count -eq 0) {
"No registered authentication methods returned by this Graph check; review account type, policy scope, and sign-in context."
} else {
"Registered methods found; this does not prove MFA enforcement, successful MFA use, or policy coverage."
}
[pscustomobject]@{
DisplayName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
AccountEnabled = $user.AccountEnabled
RegisteredMethodCount = $methodTypes.Count
RegisteredMethodTypes = ($methodTypes -join ";")
ReviewNote = $reviewNote
}
}
$rows |
Sort-Object UserPrincipalName |
Export-Csv ".\mfa-registration-review.csv" -NoTypeInformationExpected output columns
- DisplayName
- UserPrincipalName
- AccountEnabled
- RegisteredMethodCount
- RegisteredMethodTypes
- ReviewNote
How to read the results
Start with enabled accounts that have no listed methods or unexpectedly low registered method counts. Finding a low count does not automatically mean the account is insecure or misconfigured. Finding registered methods does not automatically mean the account is protected by MFA. Both results mean the account should be reviewed in context.
Common findings
- Enabled accounts with no visible authentication method data.
- Accounts that look like service or shared-use accounts and need a different review path.
- Users with methods registered but unclear policy coverage.
False positives or normal explanations
Some accounts may be disabled, cloud-only test accounts, break-glass accounts, or accounts covered by a separate administrative process. The export should start a review, not end it.
What to verify before action
- Whether the account is active and expected to sign in.
- Whether Conditional Access policy exclusions or authentication strength rules apply.
- Whether emergency access accounts follow the tenant owner-approved design.
- Whether sign-in logs support the same conclusion as the registration export.
- What you documented as the reason for any follow-up review.
Troubleshooting
- If a command is unavailable, refresh the Microsoft Graph PowerShell modules.
- If consent is blocked, ask an administrator to review the requested read scopes.
- If output is incomplete, confirm the account has permission to read authentication method details.
- If the export takes a long time, test against a smaller user set first and then decide how to run a full review.
Limitations
Authentication method data is only one view of identity readiness. This starter check does not replace Conditional Access review, authentication strength review, registration campaign review, sign-in log review, per-user MFA review, break-glass account review, or a documented rollout plan.
Sources and documentation to review
- Microsoft Graph PowerShell Connect-MgGraph documentation
- Microsoft Graph authentication method documentation
- Microsoft Graph users documentation
Validation status
This is an example read-only playbook. Review the Microsoft documentation, permissions, and output in a test or lab environment before using it as part of a production change process.
Related playbooks
Use this in the Quick-Check Pack
The M365 Admin Quick-Check Pack is meant to put checks like this into a repeatable review order before tenant changes.
Get the Quick-Check Pack