Finding Only Users who have Exchange Enabled Using Get-MSOLUser

Hello Everyone,
I have the glorious task of compiling the list of users who are MFA Enabled in our tenant. Our tenant is quite messy, over 480 domains, multiple things going on. I’m trying to find a way to only retrieve a list of users from Get-MsolUser that are Enabled, licensed with either E1 or E3, and have Exchange enabled in their plan.

I’ve gotten as far as to be able to figure out who has an E1 or E3, but I can’t figure out the next step. Here is what I have so far:

Get-MsolUser -EnabledFilter EnabledOnly -All |
Where-Object -FilterScript {(($_.licenses).AccountSkuId -match "enterprisepack") -or (($_.licenses).AccountSkuId -match "standardpack")} |
Select-Object DisplayName,UserPrincipalName,@{N="Email Address"; E={$_.ProxyAddresses |
Where-Object {$_ -cmatch '^SMTP\:.*'}}},@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} |
Export-CSV "C:\Users\rmartin\Scripts\MFA Users - $((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" -NoTypeInformation

Here is an update that we’ve come up with:

Get-MsolUser -EnabledFilter EnabledOnly -All | 
Where-Object {$_.Licenses.ServiceStatus | 
Where-Object {(($_.ServicePlan.ServiceName -eq "EXCHANGE_S_ENTERPRISE") -or ($_.ServicePlan.ServiceName -eq "EXCHANGE_S_STANDARD")) -and $_.ProvisioningStatus -eq "Success"}} | 
Select-Object DisplayName, UserPrincipalName, @{N="Email Address"; E={$_.ProxyAddresses | 
Where-Object {$_ -cmatch '^SMTP\:.*'}}}, @{N="MFA Status"; E={if($_.StrongAuthenticationRequirements.State -ne $null) {$_.StrongAuthenticationRequirements.State} else {"Disabled"}}} | 
Export-CSV "C:\Users\rmartin\Scripts\MFA Users - $((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv"

Thank you for any help that anyone can provide!

  • Rob

Is it the Exchange enabled bit your struggling with?

Can you compare all the attributes returned for a user with mail and a user without mail? I can’t test it but the msExchRecipientTypeDetails attribute looks like one worth checking and should be returned by Get-MsolUser.