108 lines
4.9 KiB
PowerShell
108 lines
4.9 KiB
PowerShell
<#
|
|
.SYNOPSIS
|
|
Retrieves the MFA (Multi-Factor Authentication) status for Azure Active Directory users.
|
|
.DESCRIPTION
|
|
The Get-MFAStatus function connects to Microsoft Online Service and retrieves the MFA status for all Azure Active Directory users, excluding guest accounts. Optionally, you can specify a single user by their User Principal Name (UPN) to get their MFA status.
|
|
.PARAMETER UserId
|
|
The User Principal Name (UPN) of a specific user to retrieve MFA status for. If not provided, the function retrieves MFA status for all users.
|
|
.EXAMPLE
|
|
Get-MFAStatus
|
|
Retrieves the MFA status for all Azure Active Directory users.
|
|
.EXAMPLE
|
|
Get-MFAStatus -UserId "example@domain.com"
|
|
Retrieves the MFA status for the specified user with the UPN "example@domain.com".
|
|
.OUTPUTS
|
|
System.Object
|
|
Returns a sorted list of custom objects containing the following properties:
|
|
- UserPrincipalName
|
|
- DisplayName
|
|
- MFAState
|
|
- MFADefaultMethod
|
|
- MFAPhoneNumber
|
|
- PrimarySMTP
|
|
- Aliases
|
|
.NOTES
|
|
The function requires the MSOL module to be installed and connected to your tenant.
|
|
Ensure that you have the necessary permissions to read user and MFA status information.
|
|
.LINK
|
|
https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-MFAStatus
|
|
#>
|
|
function Get-MFAStatus {
|
|
[OutputType([System.Object])]
|
|
[CmdletBinding()]
|
|
param (
|
|
[Parameter(Mandatory = $false)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[string]$UserId,
|
|
[switch]$SkipMSOLConnectionChecks
|
|
)
|
|
|
|
begin {
|
|
# Connect to Microsoft Online service
|
|
Import-Module MSOnline -ErrorAction SilentlyContinue
|
|
}
|
|
|
|
process {
|
|
if (Get-Module MSOnline){
|
|
if (-not $SkipMSOLConnectionChecks) {
|
|
Connect-MsolService
|
|
}
|
|
Write-Host "Finding Azure Active Directory Accounts..."
|
|
# Get all users, excluding guests
|
|
$Users = if ($PSBoundParameters.ContainsKey('UserId')) {
|
|
Get-MsolUser -UserPrincipalName $UserId
|
|
} else {
|
|
Get-MsolUser -All | Where-Object { $_.UserType -ne "Guest" }
|
|
}
|
|
$Report = [System.Collections.Generic.List[Object]]::new() # Create output list
|
|
Write-Host "Processing $($Users.Count) accounts..."
|
|
ForEach ($User in $Users) {
|
|
$MFADefaultMethod = ($User.StrongAuthenticationMethods | Where-Object { $_.IsDefault -eq "True" }).MethodType
|
|
$MFAPhoneNumber = $User.StrongAuthenticationUserDetails.PhoneNumber
|
|
$PrimarySMTP = $User.ProxyAddresses | Where-Object { $_ -clike "SMTP*" } | ForEach-Object { $_ -replace "SMTP:", "" }
|
|
$Aliases = $User.ProxyAddresses | Where-Object { $_ -clike "smtp*" } | ForEach-Object { $_ -replace "smtp:", "" }
|
|
|
|
If ($User.StrongAuthenticationRequirements) {
|
|
$MFAState = $User.StrongAuthenticationRequirements.State
|
|
}
|
|
Else {
|
|
$MFAState = 'Disabled'
|
|
}
|
|
|
|
If ($MFADefaultMethod) {
|
|
Switch ($MFADefaultMethod) {
|
|
"OneWaySMS" { $MFADefaultMethod = "Text code authentication phone" }
|
|
"TwoWayVoiceMobile" { $MFADefaultMethod = "Call authentication phone" }
|
|
"TwoWayVoiceOffice" { $MFADefaultMethod = "Call office phone" }
|
|
"PhoneAppOTP" { $MFADefaultMethod = "Authenticator app or hardware token" }
|
|
"PhoneAppNotification" { $MFADefaultMethod = "Microsoft authenticator app" }
|
|
}
|
|
}
|
|
Else {
|
|
$MFADefaultMethod = "Not enabled"
|
|
}
|
|
|
|
$ReportLine = [PSCustomObject] @{
|
|
UserPrincipalName = $User.UserPrincipalName
|
|
DisplayName = $User.DisplayName
|
|
MFAState = $MFAState
|
|
MFADefaultMethod = $MFADefaultMethod
|
|
MFAPhoneNumber = $MFAPhoneNumber
|
|
PrimarySMTP = ($PrimarySMTP -join ',')
|
|
Aliases = ($Aliases -join ',')
|
|
isLicensed = $User.isLicensed
|
|
}
|
|
|
|
$Report.Add($ReportLine)
|
|
}
|
|
|
|
Write-Host "Processing complete."
|
|
Write-Host "To disconnect from the MsolService close the powershell session or wait for the session to expire."
|
|
return $Report | Select-Object UserPrincipalName, DisplayName, MFAState, MFADefaultMethod, MFAPhoneNumber, PrimarySMTP, Aliases, isLicensed | Sort-Object UserPrincipalName
|
|
}
|
|
else {
|
|
Write-Host "You must first install MSOL using:`nInstall-Module MSOnline -Scope CurrentUser -Force"
|
|
}
|
|
}
|
|
}
|