web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Automate / Check if MFA setup has...
Power Automate
Unanswered

Check if MFA setup has completed and then add user to group...

(0) ShareShare
ReportReport
Posted on by ludvig 4

Greetings and salutations. I am trying to wrap my head around MS Flow, and before I waste too much time, I need to check with you all if it is possible at all :).

 

My goal is the following:

 

I need a flow, that I can trigger manually (for now) that will do the following:

1. When triggered, the admin enters the user that is to be worked on.

2. Flow sends an email to the user entered, with text asking the user to complete the steps in https://aka.ms/MFASetup.

3. Flow waits (can it do that?) until the user has completed the above step (gone through setting up MFA) and then adds the user to a security group in AAD.

4. Flow sends an email to the user with text and a link to an internal article on how to proceed.

5. etc...

 

Maybe I need to combine this in two flows... one flow that sends the user an email with info and a link to a new flow of some kind, that asks the user to complete the steps in https://aka.ms/MFASetup and then has a step where the user confirms it has been done... or something...

Categories:
Building flows
I have the same question (0)
  • v-yamao-msft Profile Picture
    v-yamao-msft on at

    Hi @ludvig,

     

    I am afraid that there is no direct way could be used the check if a user has completed setting up MFA on their side. While we could consider sending them an email with options Yes and No so that they could select Yes from the email body once they have completed.

    Please take the following workaround for a reference.

    Add the trigger Button, add an Email input.

    Add action Send email with options, email send to User, set User Options with Yes and No. Insert an URL into the body of the email likes below:

    <a href=” https://aka.ms/MFASetup”> click here to set up<a/>

    Besides, you should add some comments in the email body so that the user know that they could only click the Yes button until they have completed setting up the MFA. Please remember to select Yes for Is HTML field.

    Then add a Condition with dynamic content Selected option is equal to Yes.

    Under if yes branch, add action Get user profile (V2), select dynamic content User email from the trigger.

    Then the action Add user to group. Get Group Id from Azure AD, and dynamic content ID from previous action.

    To send an email to the user with text and a link to an internal article, add the action Send an email and insert a link in the email body. Please make sure enable Yes for the Is HTML field:

    <a href=”an URL”>Test URL <a/>

    A screenshot for your reference.

    1.PNG2.PNG

    Please take a try with it on your side.

     

    Best regards,

    Mabel

  • ludvig Profile Picture
    ludvig 4 on at

    Awesome, thank you very much. I will give this a go and report back :D.

  • v-yamao-msft Profile Picture
    v-yamao-msft on at

    Hi @ludvig,

     

    Does it work for you?

    Please mark it as answer if it works for you.

     

    Best regards,

    Mabel

  • ludvig Profile Picture
    ludvig 4 on at
    It works as described :). However, we still have a requirement that the user should not be added to the group before MFA has been set up. As it is now, the user can still just click the button in the email and be added to the group, regardless if MFA has been set up or not. I tried marking it as a solution, but I get an error saying "Authentication failed for the action you are trying to do." but I will keep trying. On another note, do you know if it is possible to combine an azure function of some kind to interact with flow? Så that one could start the flow, then have the user access an azure function that is protected with conditional access policy that requires MFA for access... Then, when the azure function is successfully loaded (after MFA has been set up of course, as if it is not the function cannot load), it triggers a new flow that adds the user to a group?... Just ideas pouring out now 😉
  • v-yamao-msft Profile Picture
    v-yamao-msft on at

    Hi @ludvig,

     

    As you mentioned, user will be added to the group once they clicked the Yes button regardless if MFA has been set up or not. However, we don’t have a direct way to check whether a user has completed setting up MAF or not.

    By the way, we could call an Azure function from Microsoft flow, please check the following doc:

    https://docs.microsoft.com/en-us/azure/azure-functions/functions-flow-scenario

    Please take a try with it on your side.

     

    Best regards

  • PedroNL Profile Picture
    PedroNL 30 on at

    I am wondering if we could take this command and output the details onto Excel, powerBI report maybe..  Let me know your thoughts?

     

     

    Here is PowerShell Command.

<#
=============================================================================================
Name: Export Office 365 MFA status report
Description: This script exports Microsoft 365 MFA status report to CSV
Version: 2.2
============================================================================================
#>
Param
(
 [Parameter(Mandatory = $false)]
 [switch]$DisabledOnly,
 [switch]$EnabledOnly,
 [switch]$EnforcedOnly,
 [switch]$ConditionalAccessOnly,
 [switch]$AdminOnly,
 [switch]$LicensedUserOnly,
 [Nullable[boolean]]$SignInAllowed = $null,
 [string]$UserName,
 [string]$Password
)
#Check for MSOnline module
$Modules=Get-Module -Name MSOnline -ListAvailable
if($Modules.count -eq 0)
{
 Write-Host Please install MSOnline module using below command: `nInstall-Module MSOnline -ForegroundColor yellow
 Exit
}

#Storing credential in script for scheduling purpose/ Passing credential as parameter
if(($UserName -ne "") -and ($Password -ne ""))
{
 $SecuredPassword = ConvertTo-SecureString -AsPlainText $Password -Force
 $Credential = New-Object System.Management.Automation.PSCredential $UserName,$SecuredPassword
 Connect-MsolService -Credential $credential
}
else
{
 Connect-MsolService | Out-Null
}
$Result=""
$Results=@()
$UserCount=0
$PrintedUser=0

#Output file declaration
$ExportCSV=".\MFADisabledUserReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv"
$ExportCSVReport=".\MFAEnabledUserReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv"


#Loop through each user
Get-MsolUser -All | foreach{
 $UserCount++
 $DisplayName=$_.DisplayName
 $Upn=$_.UserPrincipalName
 $MFAStatus=$_.StrongAuthenticationRequirements.State
 $MethodTypes=$_.StrongAuthenticationMethods
 $RolesAssigned=""
 Write-Progress -Activity "`n Processed user count: $UserCount "`n" Currently Processing: $DisplayName"
 if($_.BlockCredential -eq "True")
 {
 $SignInStatus="False"
 $SignInStat="Denied"
 }
 else
 {
 $SignInStatus="True"
 $SignInStat="Allowed"
 }

 #Filter result based on SignIn status
 if(($SignInAllowed -ne $null) -and ([string]$SignInAllowed -ne [string]$SignInStatus))
 {
 return
 }

 #Filter result based on License status
 if(($LicensedUserOnly.IsPresent) -and ($_.IsLicensed -eq $False))
 {
 return
 }

 if($_.IsLicensed -eq $true)
 {
 $LicenseStat="Licensed"
 }
 else
 {
 $LicenseStat="Unlicensed"
 }

 #Check for user's Admin role
 $Roles=(Get-MsolUserRole -UserPrincipalName $upn).Name
 if($Roles.count -eq 0)
 {
 $RolesAssigned="No roles"
 $IsAdmin="False"
 }
 else
 {
 $IsAdmin="True"
 foreach($Role in $Roles)
 {
 $RolesAssigned=$RolesAssigned+$Role
 if($Roles.indexof($role) -lt (($Roles.count)-1))
 {
 $RolesAssigned=$RolesAssigned+","
 }
 }
 }

 #Filter result based on Admin users
 if(($AdminOnly.IsPresent) -and ([string]$IsAdmin -eq "False"))
 {
 return
 }

 #Check for MFA enabled user
 if(($MethodTypes -ne $Null) -or ($MFAStatus -ne $Null) -and (-Not ($DisabledOnly.IsPresent) ))
 {
 #Check for Conditional Access
 if($MFAStatus -eq $null)
 {
 $MFAStatus='Enabled via Conditional Access'
 }

 #Filter result based on EnforcedOnly filter
 if((([string]$MFAStatus -eq "Enabled") -or ([string]$MFAStatus -eq "Enabled via Conditional Access")) -and ($EnforcedOnly.IsPresent))
 {
 return
 }

 #Filter result based on EnabledOnly filter
 if(([string]$MFAStatus -eq "Enforced") -and ($EnabledOnly.IsPresent))
 {
 return
 }

 #Filter result based on MFA enabled via Other source
 if((($MFAStatus -eq "Enabled") -or ($MFAStatus -eq "Enforced")) -and ($ConditionalAccessOnly.IsPresent))
 {
 return
 }

 $Methods=""
 $MethodTypes=""
 $MethodTypes=$_.StrongAuthenticationMethods.MethodType
 $DefaultMFAMethod=($_.StrongAuthenticationMethods | where{$_.IsDefault -eq "True"}).MethodType
 $MFAPhone=$_.StrongAuthenticationUserDetails.PhoneNumber
 $MFAEmail=$_.StrongAuthenticationUserDetails.Email

 if($MFAPhone -eq $Null)
 { $MFAPhone="-"}
 if($MFAEmail -eq $Null)
 { $MFAEmail="-"}

 if($MethodTypes -ne $Null)
 {
 $ActivationStatus="Yes"
 foreach($MethodType in $MethodTypes)
 {
 if($Methods -ne "")
 {
 $Methods=$Methods+","
 }
 $Methods=$Methods+$MethodType
 }
 }

 else
 {
 $ActivationStatus="No"
 $Methods="-"
 $DefaultMFAMethod="-"
 $MFAPhone="-"
 $MFAEmail="-"
 }

 #Print to output file
 $PrintedUser++
 $Result=@{'DisplayName'=$DisplayName;'UserPrincipalName'=$upn;'MFAStatus'=$MFAStatus;'ActivationStatus'=$ActivationStatus;'DefaultMFAMethod'=$DefaultMFAMethod;'AllMFAMethods'=$Methods;'MFAPhone'=$MFAPhone;'MFAEmail'=$MFAEmail;'LicenseStatus'=$LicenseStat;'IsAdmin'=$IsAdmin;'AdminRoles'=$RolesAssigned;'SignInStatus'=$SigninStat}
 $Results= New-Object PSObject -Property $Result
 $Results | Select-Object DisplayName,UserPrincipalName,MFAStatus,ActivationStatus,DefaultMFAMethod,AllMFAMethods,MFAPhone,MFAEmail,LicenseStatus,IsAdmin,AdminRoles,SignInStatus | Export-Csv -Path $ExportCSVReport -Notype -Append
 }

 #Check for MFA disabled user
 elseif(($DisabledOnly.IsPresent) -and ($MFAStatus -eq $Null) -and ($_.StrongAuthenticationMethods.MethodType -eq $Null))
 {
 $MFAStatus="Disabled"
 $Department=$_.Department
 if($Department -eq $Null)
 { $Department="-"}
 $PrintedUser++
 $Result=@{'DisplayName'=$DisplayName;'UserPrincipalName'=$upn;'Department'=$Department;'MFAStatus'=$MFAStatus;'LicenseStatus'=$LicenseStat;'IsAdmin'=$IsAdmin;'AdminRoles'=$RolesAssigned; 'SignInStatus'=$SigninStat}
 $Results= New-Object PSObject -Property $Result
 $Results | Select-Object DisplayName,UserPrincipalName,Department,MFAStatus,LicenseStatus,IsAdmin,AdminRoles,SignInStatus | Export-Csv -Path $ExportCSV -Notype -Append
 }
}

#Open output file after execution
Write-Host `nScript executed successfully

if((Test-Path -Path $ExportCSV) -eq "True")
{
 Write-Host "MFA Disabled user report available in: $ExportCSV"
 Write-Host `nCheck out """AdminDroid Office 365 Reporting tool""" to get access to 950+ Office 365 reports.`n -ForegroundColor Green
 $Prompt = New-Object -ComObject wscript.shell
 $UserInput = $Prompt.popup("Do you want to open output file?",`
 0,"Open Output File",4)
 If ($UserInput -eq 6)
 {
 Invoke-Item "$ExportCSV"
 }
 Write-Host Exported report has $PrintedUser users
}
elseif((Test-Path -Path $ExportCSVReport) -eq "True")
{
 Write-Host "MFA Enabled user report available in: $ExportCSVReport"
 Write-Host `nCheck out """AdminDroid Office 365 Reporting tool""" to get access to 950+ Office 365 reports.`n -ForegroundColor Green
 $Prompt = New-Object -ComObject wscript.shell
 $UserInput = $Prompt.popup("Do you want to open output file?",`
 0,"Open Output File",4)
 If ($UserInput -eq 6)
 {
 Invoke-Item "$ExportCSVReport"
 }
 Write-Host Exported report has $PrintedUser users
}
Else
{
 Write-Host No user found that matches your criteria.
}
#Clean up session
Get-PSSession | Remove-PSSession

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Automate

#1
Michael E. Gernaey Profile Picture

Michael E. Gernaey 538 Super User 2025 Season 2

#2
Tomac Profile Picture

Tomac 405 Moderator

#3
abm abm Profile Picture

abm abm 252 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

Share your ideas and struggles with building Power Automate flows!
Survey: Power Automate mobile app
How to Ask for Help with Your Power Automate Workflow
Flows are not visible for users who sign in with their personal accounts
Start and wait for an approval action
Restore a deleted flow
List of actions cheat sheet for Power Automate Desktop
Question for everyone : How are you using Create Text GPT in AI Builder?
Welcome to the Power Automate forum!

Product updates

Microsoft Power Platform Community release plans