TODO: Optimize the Azure Multi-factor Authentication methods used throughout your organization

Microsoft Azure Multi-Factor Authentication

Multi-factor Authentication will be organizations’ means of authentication verification for a while. After clearing the first hurdles in your organization when implementing multi-factor authentication, consisting of communication, registration and adoption, the next hurdle is optimization.


Why optimize Multi-factor Authentication?

Multi-factor Authentication offers verification of people authenticating to access organizational data, applications, services and/or systems; Beyond the username and password, multi-factor authentication allows for additional verification by prompting the person to prove he or she has access to something (a phone number, a pre-registered app on their phone) or to prove he or she is the person (through facial recognition or a finger print).

The recommendation is to have people register for at least two independent multi-factor authentication methods.

This way:

  • When a person forgets or loses their phone, they can still perform multi-factor authentication and achieve productivity
  • When a person gets a new phone, they don’t require the Authenticator app to be pre-registered to be able to perform multi-factor authentication and achieve productivity
  • When nothing else works, they can still sign in using their OATH-based token

Now, in some cultures and organizations, people don’t want to install any corporate application or pushed any organizational setting to their private phones. Multi-factor authentication was rolled-out, keys were handed out, etc. and now no-one in the organization has a firm grip on who uses what authentication method and why.


Azure MFA authentication method analysis

Microsoft offers a Windows PowerShell script to analyse Azure AD user objects to make recommendations on how to improve each user's Azure Multi-factor Authentication configuration.


You can't use a guest (B2B) account to run this script against the target tenant. The script will execute in the guest's home tenant, not the target tenant.

Getting ready

To run the script, you’ll need to meet the following requirements:

  • You need an Azure AD tenant, obviously
  • You need a Windows system that has networking connectivity to Azure AD. If the system is located behind a proxy or firewall, allow the required traffic by specifying the proxy as the system-wide proxy and/or specify firewall rules to allow the traffic
  • You need a Windows system with at least PowerShell version 3 installed
  • You need local administrator privileges on the Windows system, unless you’ve previously installed the MSOnline PowerShell module (version of the MSOnline PowerShell Module is required, or up).
  • You need networking connectivity to the Nuget infrastructure, unless you’ve previously installed the MSOnline PowerShell module (version of the MSOnline PowerShell Module is required, or up).
  • You need permissions in the Azure AD tenant to enumerate user object properties. The user administrator role in Azure AD is the least privilege delegated role that provides these permissions.

Getting the script

Download the script from
A mirror of the script is available here.

Place it in an easily reachable folder on the Windows system.

Getting the Azure AD Tenant ID

The script requires input. It requires the Azure AD TenantID.
There are several ways to get this globally unique identifier (GUID) for your Azure AD Tenant, but below, I’ll show the graphical way to get it:

  • Open a browser
  • Navigate to the Azure AD Portal
  • Sign in with an account in the Azure AD tenant
  • Perform multi-factor authentication when prompted
  • In the left navigation pane, click on Azure Active Directory.
  • In Azure AD’s navigation pane, click on Properties.
  • In the main pane, the Tenant ID is shown in the Directory ID field.
  • Copy the value.
  • Sign out of the Azure AD Portal by clicking on the name of the signed-in account in the top-right corner of the portal experience. Click the Sign out link.
  • Close the browser

Sign in

Sign in with an account that has administrative privileges on the Windows system.

Install or Update the MSOnline Windows PowerShell Module

Open an elevated Windows PowerShell window.

Run the following line of Windows PowerShell to either install or update the MSOnline Windows PowerShell module:

Install-Module MSOnline -force

Run the script

In the existing (and yet elevated) Windows PowerShell window, navigate to the local folder where you’ve placed the MfaAuthMethodsAnalysis.ps1 script. For instance, you can run the following line:

cd C:\Mgmt

Then, run the script with the following options:

MfaAuthMethodsAnalysis.ps1 -TenantID <YourTenantID> | Out-GridView

Sign in with an Azure AD user account that has at least the User Administrator role assigned and perform multi-factor authentication, when prompted.

The script results in a GridView window with columns for the number of Authentication methods (MfaAuthMethodCount), the default method (DefaultMethod), a column per authentication method (AppNotification, OathTotp, Sms, Phone and AltPhone) and a column with Recommendations. The GridView allows you to sort by column.

The output does not include the actual phone numbers, etc. for privacy reasons.

Putting the information to good use

You can use the authentication method columns to create an inventory of the methods configured. This might result in statistics on the people that won’t use personal gear for business purposes.

You can use the recommendations to allow people in the organization to fulfill all of the multi-factor authentication methods. This way, any of the scenarios that might result in a lock-out (forgotten phone, etc.) do not hinder productivity.



Use the Azure MFA authentication method analysis script to analyse and optimize Azure multi-factor authentication usage within your organization.

Also, consider other methods to satisfy multi-factor authentication like Windows Hello for Business and FIDO2-based security keys.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.