Azure MFA authentication method analysis. Share the results with Power Automate!

You might have seen the sample script, created by the Microsoft community, to run some analysis on your Azure MFA authentication methods. This script can be used to make recommendations on how to improve each user’s MFA configuration.

You can run the script against your tenant, and the results can be exported to a CSV file. Wouldn’t it be cool to share those results with your users straight away? With the use of Power Automate (Flow), we can easily send recommendations to each of our end users. Today I’ll show you how this can be done in a few clicks.

Run the script

First, we have to run the script. This is pretty straight forward. Here’s an example:

.\MfaAuthMethodAnalysis.ps1 -TenantId 9959f32b-837b-41db-b6e5-32277e344292 -CsvOutput -Verbose

You can also target a specific group, if needed.

.\MfaAuthMethodAnalysis.ps1 -TenantId 9959f32b-837b-41db-b6e5-32277e344292 -TargetGroup 6424cd24-ee16-472f-bad6-85427c9febc2

Ensure you run the script with an account that can enumerate user properties. For least privilege use the User Administrator role.

Prepare the CSV file

The CSV file is a comma-separated file. To keeps things simple, use Excel to convert these records to columns and turn them into a table manually.

If needed, do a clean-up on empty records or filter out the records/columns that you don’t need. Save the file as an .XLSX file on SharePoint or Onedrive.

Make the flow

Start off by creating a new flow with a manual trigger. Give it a proper name.

The flow in this example is really simple, but you can expand the flow to your own needs. To start, we need to pick up the Excel file and get all the rows from the table.

Next, we use the Azure AD connector to get the properties of our users. We need this later on. Use the UserPrincipalName from the Excel file as your input value.

The next steps are optional if you don’t want to differentiate your recommendations. I want to send a separate mail to users that have 0 MFA methods registered, so I compose the MfaAuthMethodCount to a float value. I used the float(outputs(‘ComposeMFAMethods’)) as my expression.

In my next step, I add a condition to split the flow. One for the non registered users, and one for the users that have 1 or more methods registered. In the last step, use the dynamic values from the previous steps to compose your email.

Test and run the flow. The user will end up with the following email:

Wrap things up

As you can see, you can be creative here and make your own flow to send out these messages to your users. You could also use the Teams connector, and just send the recommendations by chat for example.

The script is open-source, so feel free to contribute! https://docs.microsoft.com/en-us/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/

Get the sample Flow from my Github page

6 thoughts on “Azure MFA authentication method analysis. Share the results with Power Automate!”

  1. Pingback: Azure MFA authentication method analysis. Share the results with Power Automate! – 365 admin service

  2. Nice! THough this would be even better if your first step was to call an Azure Function Powershell to run the script and return the XLSX, that way it’s completely automated and can be run daily/weekly/whatever

    1. Yes sir! I had the same idea, but I wanted to keep it simple. And I must admit: I suck at Powershell. Feel free to contribute 😉 I’m happy to extend this blogpost to fully automate this.

  3. Pingback: Azure MFA authentication method analysis. Share the results with Power Automate! – JanBakker.tech – More Stuff 2 Read [Quite Sparsely]

Leave a Reply

Your email address will not be published. Required fields are marked *