Entra / Microsoft 365 · Users & guests
Find Microsoft 365 admin center sign-ins
Find user accounts that signed into the Microsoft 365 admin center in the last 30 days and report their MFA status.
Connect & set up
Run these once per session. All scopes are read-only unless the script makes changes.
Connect-MgGraph -Scope AuditLogs.Read.All
Run it
The main script. Copy it, or download the .ps1 and run it from your console.
Connect-MgGraph -Scope AuditLogs.Read.All$M365AdminCenterId = (Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Office 365 Portal'").AppIdWrite-Host "Checking for sign-ins to the Microsoft 365 Admin center..."[array]$M365PortalSignIns = Get-MgBetaAuditLogSignIn -Filter "AppId eq '$M365AdminCenterId' and status/ErrorCode eq 0" -All -PageSize 500If (!($M365PortalSignIns)) {Write-Host "No sign-ins found to the Microsoft 365 Admin center"Break}Write-Host ("Found {0} sign-ins to the Microsoft 365 Admin center for the last 30 days" -f $M365PortalSignIns.Count)Write-Host "Checking MFA status for users who sign into the Microsoft 365 Admin center..."[array]$UniqueUsers = $M365PortalSignIns | Sort-Object UserPrincipalName -Unique$Report = [System.Collections.Generic.List[Object]]::new()ForEach ($User in $UniqueUsers) {$MFA = "Not enabled"If ($User.authenticationRequirement -eq 'multifactorauthentication') {$MFA = "Enabled"}$ReportLine = [PSCustomObject] @{User = $User.UserDisplayName'MFA Status' = $MFA'Last sign-in' = $User.createdDateTime}$Report.Add($ReportLine)}Write-Host ""Write-Host "Accounts that sign into the Microsoft 365 Admin Center"Write-Host "------------------------------------------------------"$Report$Report | Out-GridView -Title "Accounts that sign into the Microsoft 365 Admin Center"
Attribution
Author
Office365itpros