Built a free M365 MFA Audit script — shows who has no MFA, weak MFA, and unprotected admins [GitHub]
Posted by Anxious_Toe_6617@reddit | sysadmin | View on Reddit | 18 comments
Hey r/sysadmin,
Been working in MSP for a couple years and kept running into the same problem — clients with no idea who has MFA and who doesn't.
Built a free PowerShell script that scans your entire M365 tenant and outputs:
- Users with NO MFA (critical)
- Users with weak MFA only (SMS/voice — bypassable)
- Admin accounts without MFA
- Per-user method breakdown (Authenticator, FIDO2, TOTP, SMS...)
- Color-coded HTML report + CSV export
Uses Microsoft.Graph module, no legacy MSOnline.
GitHub: https://github.com/JUrica11/m365-security-toolkit
If you find it useful — I also put together a full Security Hardening Pack (CA audit, guest cleanup, admin roles audit, legacy auth detection, Secure Score report) available separately.
Happy to answer questions or take feedback.
Asleep_Spray274@reddit
Just a note on the wording "bypassable". That suggests that MFA is required and an auth happened without completing the MFA. That's not the case in any MFA method
DesignatedControvert@reddit
I'm assuming you used Claude for this. I don't judge, it's totally fine. Just mention it somewhere so that we know what we're dealing with.
MitAllesOhneScharf@reddit
Of course it is, just like the post itself is written by AI.
Anxious_Toe_6617@reddit (OP)
Fair enough. The post structure is mine, Claude helped with wording. The scripts work that's what matters to me.
Anxious_Toe_6617@reddit (OP)
Yep, used Claude to help write and structure the scripts , I work in IT support and have been dealing with M365 tenants for a couple of years. I reviewed the logic, tested it on real tenants, and fixed issues that came up. AI helps me build faster, but the problem knowledge and testing is mine. Totally fair point though, will add a note to the README.
DesignatedControvert@reddit
Thanks, appreciate it.
maryteiss@reddit
Nice! An important blind spot that even some big orgs miss. Can't protect what you can't see!
wey0402@reddit
Tipp: Use https://maester.dev
dat510geek@reddit
I dont mind that Claude built the building blocks. Least you tested it and fixed. Right. Thats the point. Thanks for sharing
Anxious_Toe_6617@reddit (OP)
Exactly, that was the idea. Thanks for getting it!
tejanaqkilica@reddit
What's the point of this over conditional access? From there you can force users to have MFA and a specific type of MFA, or pound sand.
Anxious_Toe_6617@reddit (OP)
Fair, CA enforces MFA going forward, but this script shows you the current state before you enforce. Useful for auditing inherited tenants, reporting to clients, or identifying who will get locked out when you flip the CA switch. Different use case.
_l33ter_@reddit
Admin accounts without MFA --> crazzy! Is that for real??
Julyens@reddit
First thing I usually setup is a conditional access policy that forces MFA on all admin roles
Anxious_Toe_6617@reddit (OP)
Exactly that's actually the first thing the Conditional Access Audit script in my security pack checks for. A lot of tenants either don't have that policy at all, or have it in report-only mode and forgot to enable it. Surprising how often it slips through.
_l33ter_@reddit
yap. You nailed it :)
Anxious_Toe_6617@reddit (OP)
Unfortunately yes , it's more common than you'd think, especially in smaller businesses and MSPs that inherited tenants from previous admins. Run it on a few client tenants and you'll be surprised. That's exactly why I built this
_l33ter_@reddit
Moste of them, I manage. So I'm 100% sure that I'm not finding it. However I will look outside of my bubble. That really makes me wonder! :)
I believe you even without checking for myself! – Still, I think it’s absolutely crazy and unreasonable!