Export-MsIdAzureMfaReport -- Compare-Object: Cannot bind argument to parameter 'DifferenceObject' because it is null.

[bendono]

Describe the bug

A recent Microsoft email indicated that multifactor authentication is required for Azure from October 15, 2024. It gave a link to identify users without multifactor authentication enabled.
This documentation provided a link to Export-MsIdAzureMfaReport to generated a report.
Following the documentation results in the following error:
Compare-Object: Cannot bind argument to parameter 'DifferenceObject' because it is null.

To Reproduce

PS C:\> Install-Module MsIdentityTools -Scope CurrentUser
PS C:\>
PS C:\> Connect-MgGraph -Scopes Directory.Read.All, AuditLog.Read.All, UserAuthenticationMethod.Read.All
Welcome to Microsoft Graph!

Connected via delegated access using [redacted]
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs

NOTE: You can use the -NoWelcome parameter to suppress this message.

PS C:\>
PS C:\> Export-MsIdAzureMfaReport .\report.xlsx
Compare-Object: Cannot bind argument to parameter 'DifferenceObject' because it is null.
Compare-Object: Cannot bind argument to parameter 'DifferenceObject' because it is null.
Write-Error: Unable to find target address
PS C:\>

Expected behavior

A generated report.
Or better error handling with a clear message indicated the problem and what to change in order to work.
Relevant documentation would be appreciated as well.

Screenshots

Environment (please complete the following information)

Unable to execute.

• Operating System: Windows
• PowerShell Version: PowerShell 7.4.4
• MS Graph PowerShell SDK Module Version: ?

Additional context

[davenonwork]

Same issue.

[merill]

Sorry I'm not able to repro this. Can you run in -Verbose and share the specific point where it fails. Please remove any sensitive data before sharing. Alternatively, please open a support ticket with Microsoft and ask them to reach out to me. Tx.

[bendono]

Hi @merill.
Here is the output when appending -Verbose. I am not sure how sensitive the appids are but redacting just to be safe. Please let me know if I can provide any further details to assist.

Best regards.

[merill]

I think you might have an old version of Graph installed.

Can you uninstall graph, restart PowerShell, check that graph is not installed, then do a fresh install of Microsoft.Graph and try again?

[bendono]

I tried this but there was no change.

Uninstall:

Restart PowerShell and confirm that Graph is not installed anymore:

Re-installed Graph and re-tested:

[antonhansson]

I have the same issue. I also found that pasting the queries from the verbose log (https://graph.microsoft.com/beta/auditLogs/signIns) into the Microsoft graph explorer gives the same error:

    "error": {
        "code": "InternalServerError",
        "message": "Unable to find target address",
        ...

[DogIcing]

Same issue

[JoelLeach]

I have Azure portals for both Personal (live.com) and Work & School accounts. Attempting the process with my Personal account produced the same error as above. Using my Work & School account displayed the following message:

You are using an Entra ID Free tenant which requires additional steps to download the sign-in logs.

Follow these steps to download the sign-in logs.
- Sign-in to https://entra.microsoft.com
- From the left navigation select: Identity → Monitoring & health → Sign-in logs.
- Select the 'Date' filter and set to 'Last 7 days'
- Select 'Add filters' → 'Application' and click 'Apply'
- Type in 'Azure' and click 'Apply'
- Select 'Download' → 'Download JSON'
- Set the 'File Name' of the first textbox to 'signins' and click 'Download'.
- Once the file is downloaded, copy it to the folder where the export command will be run.

Re-run this command with the -SignInsJsonPath parameter.
E.g.> Export-MsIdAzureMfaReport ./report.xlsx -SignInsJsonPath ./signins.json
Write-Error: Neither tenant is B2C or tenant doesn't have premium license

I followed those steps, but that didn't work either:

PS F:\_temp> Export-MsIdAzureMfaReport ./report.xlsx -SignInsJsonPath ./signins.json
PropertyNotFoundException: The property 'HasSignedInWithMfa' cannot be found on this object. Verify that the property exists.
PropertyNotFoundException: The property 'HasSignedInWithMfa' cannot be found on this object. Verify that the property exists.

Indeed, there is no 'HasSignedInWithMfa' property in the JSON file. I already had MFA enabled on my Work & School account, so I added it to my Personal account using instructions at https://support.microsoft.com/en-us/account-billing/how-to-add-your-accounts-to-microsoft-authenticator-92544b53-7706-4581-a142-30344a2a2a57. Those instructions aren't quite right either, but I managed to get MFA setup. I just hope it works on October 15.

[merill]

@bendono and @antonhansson are you signing in with a personal account or a work account?

[bendono]

@merill I'm not sure how to verify. The above was initially done with the external account that originally provisioned the Azure account (Global Administrator).

I just now checked with another account (also Global Administrator) with the DNS configured to my Azure account. This time I am seeing what @JoelLeach mentioned above, but only for this account.

[smuehlst]

Same issue here.

[Takas372]

@merill
I am experiencing the same error as JoelLeach.
I am getting the following error:

PS C:> Export-MsIdAzureMfaReport .\report.xlsx -SignInsJsonPath .\InteractiveSignIns.json
PropertyNotFoundException: The property 'HasSignedInWithMfa' cannot be found on this object. Verify that the property exists.
PropertyNotFoundException: The property 'HasSignedInWithMfa' cannot be found on this object. Verify that the property exists.
PropertyNotFoundException: The property 'HasSignedInWithMfa' cannot be found on this object. Verify that the property exists.

Will this error be fixed in the future?

[merill]

@Takas372 and @JoelLeach can you try running this older version when running with the Free tenant?

You will need to uninstall what you have and then install with this version

Install-Module -Name MSIdentityTools -RequiredVersion 2.0.68

[Takas372]

@merill ,Thanks for the reply.
It worked fine with that version. I get the same error message as before, but the "report.xlsx" file creation completed perfectly

PS C:> Get-InstalledModule -Name MsIdentityTools
Version              Name                                Repository           Description
-------              ----                                ----------           -----------
2.0.68               MSIdentityTools                     PSGallery            Tools for managing, troubleshooting, and reporting on…

PS C:> Export-MsIdAzureMfaReport .\report.xlsx -SignInsJsonPath .\SignIn.json
PropertyNotFoundException: The property 'HasSignedInWithMfa' cannot be found on this object. Verify that the property exists.
PropertyNotFoundException: The property 'HasSignedInWithMfa' cannot be found on this object. Verify that the property exists.

My problem is solved! Thank you!

[stmax82]

@merill @Takas372 I tried using version 2.0.68, but I'm still getting the same error and the report.xlsx file is not created for me.

Is there another / easier way to get a list of users and their MFA status?