Check which MFA method your users are using

Using MFA is a low effort/high gain to prevent unauthorized access to your accounts. Azure has a built-in MFA system that is available to users for Azure, Office 365, 3rd party Enterprise apps using SAML, and more.

Users are able to set up different types of MFA. The following is currently supported:

• Phonecall
• Application notification (on a smartphone)
• Application One Time Passcode (on a smartphone)
• SMS or Text Message (Microsoft recommends against using this as it is not secure)

As an admin, you can look up and reset the MFA configuration of any user. However, you can not see in the portal what type of MFA the user has selected as the default. This can be useful to know for troubleshooting or if your 3rd party requires a specific form of authentication. Most notably, the MFA/Radius connector from Microsoft is not compatible with OTP and this may not be selected.

Via Powershell, you can find the default MFA method which is set for a user.

First, connect to Azure Active Directory.

Connect-MsolService

Second, issue this command.

Get-MsolUser -UserPrincipalName user.name@yourcompany.com | Select-Object -ExpandProperty StrongAuthenticationMethods | Select-Object IsDefault, MethodType

Replace the UPN with the one you want to know more about. The result will be something like this:

The ones listed are what has been configured. The default is what is used without asking. A user can set change the default for his account via https://aka.ms/mfasetup.

If you want to snoop on the phone and e-mail settings, you can do that in the portal or using this command:

Get-MsolUser -UserPrincipalName user.name@yourcompany.com| Select -ExpandProperty StrongAuthenticationUserDetails