108 lines
		
	
	
		
			4.9 KiB
		
	
	
	
		
			PowerShell
		
	
	
	
	
	
			
		
		
	
	
			108 lines
		
	
	
		
			4.9 KiB
		
	
	
	
		
			PowerShell
		
	
	
	
	
	
| <#
 | |
|     .SYNOPSIS
 | |
|         Retrieves the MFA (Multi-Factor Authentication) status for Azure Active Directory users.
 | |
|     .DESCRIPTION
 | |
|         The Get-MFAStatus function connects to Microsoft Online Service and retrieves the MFA status for all Azure Active Directory users, excluding guest accounts. Optionally, you can specify a single user by their User Principal Name (UPN) to get their MFA status.
 | |
|     .PARAMETER UserId
 | |
|         The User Principal Name (UPN) of a specific user to retrieve MFA status for. If not provided, the function retrieves MFA status for all users.
 | |
|     .EXAMPLE
 | |
|         Get-MFAStatus
 | |
|             Retrieves the MFA status for all Azure Active Directory users.
 | |
|     .EXAMPLE
 | |
|         Get-MFAStatus -UserId "example@domain.com"
 | |
|             Retrieves the MFA status for the specified user with the UPN "example@domain.com".
 | |
|     .OUTPUTS
 | |
|         System.Object
 | |
|             Returns a sorted list of custom objects containing the following properties:
 | |
|                 - UserPrincipalName
 | |
|                 - DisplayName
 | |
|                 - MFAState
 | |
|                 - MFADefaultMethod
 | |
|                 - MFAPhoneNumber
 | |
|                 - PrimarySMTP
 | |
|                 - Aliases
 | |
|     .NOTES
 | |
|         The function requires the MSOL module to be installed and connected to your tenant.
 | |
|         Ensure that you have the necessary permissions to read user and MFA status information.
 | |
|     .LINK
 | |
|     https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-MFAStatus
 | |
| #>
 | |
| function Get-MFAStatus {
 | |
|     [OutputType([System.Object])]
 | |
|     [CmdletBinding()]
 | |
|     param (
 | |
|         [Parameter(Mandatory = $false)]
 | |
|         [ValidateNotNullOrEmpty()]
 | |
|         [string]$UserId,
 | |
|         [switch]$SkipMSOLConnectionChecks
 | |
|     )
 | |
| 
 | |
|     begin {
 | |
|         # Connect to Microsoft Online service
 | |
|         Import-Module MSOnline -ErrorAction SilentlyContinue
 | |
|     }
 | |
| 
 | |
|     process {
 | |
|         if (Get-Module MSOnline){
 | |
|             if (-not $SkipMSOLConnectionChecks) {
 | |
|                 Connect-MsolService
 | |
|             }
 | |
|             Write-Host "Finding Azure Active Directory Accounts..."
 | |
|             # Get all users, excluding guests
 | |
|             $Users = if ($PSBoundParameters.ContainsKey('UserId')) {
 | |
|                 Get-MsolUser -UserPrincipalName $UserId
 | |
|             } else {
 | |
|                 Get-MsolUser -All | Where-Object { $_.UserType -ne "Guest" }
 | |
|             }
 | |
|             $Report = [System.Collections.Generic.List[Object]]::new() # Create output list
 | |
|             Write-Host "Processing $($Users.Count) accounts..."
 | |
|             ForEach ($User in $Users) {
 | |
|                 $MFADefaultMethod = ($User.StrongAuthenticationMethods | Where-Object { $_.IsDefault -eq "True" }).MethodType
 | |
|                 $MFAPhoneNumber = $User.StrongAuthenticationUserDetails.PhoneNumber
 | |
|                 $PrimarySMTP = $User.ProxyAddresses | Where-Object { $_ -clike "SMTP*" } | ForEach-Object { $_ -replace "SMTP:", "" }
 | |
|                 $Aliases = $User.ProxyAddresses | Where-Object { $_ -clike "smtp*" } | ForEach-Object { $_ -replace "smtp:", "" }
 | |
| 
 | |
|                 If ($User.StrongAuthenticationRequirements) {
 | |
|                     $MFAState = $User.StrongAuthenticationRequirements.State
 | |
|                 }
 | |
|                 Else {
 | |
|                     $MFAState = 'Disabled'
 | |
|                 }
 | |
| 
 | |
|                 If ($MFADefaultMethod) {
 | |
|                     Switch ($MFADefaultMethod) {
 | |
|                         "OneWaySMS" { $MFADefaultMethod = "Text code authentication phone" }
 | |
|                         "TwoWayVoiceMobile" { $MFADefaultMethod = "Call authentication phone" }
 | |
|                         "TwoWayVoiceOffice" { $MFADefaultMethod = "Call office phone" }
 | |
|                         "PhoneAppOTP" { $MFADefaultMethod = "Authenticator app or hardware token" }
 | |
|                         "PhoneAppNotification" { $MFADefaultMethod = "Microsoft authenticator app" }
 | |
|                     }
 | |
|                 }
 | |
|                 Else {
 | |
|                     $MFADefaultMethod = "Not enabled"
 | |
|                 }
 | |
| 
 | |
|                 $ReportLine = [PSCustomObject] @{
 | |
|                     UserPrincipalName = $User.UserPrincipalName
 | |
|                     DisplayName       = $User.DisplayName
 | |
|                     MFAState          = $MFAState
 | |
|                     MFADefaultMethod  = $MFADefaultMethod
 | |
|                     MFAPhoneNumber    = $MFAPhoneNumber
 | |
|                     PrimarySMTP       = ($PrimarySMTP -join ',')
 | |
|                     Aliases           = ($Aliases -join ',')
 | |
|                     isLicensed        = $User.isLicensed
 | |
|                 }
 | |
| 
 | |
|                 $Report.Add($ReportLine)
 | |
|             }
 | |
| 
 | |
|             Write-Host "Processing complete."
 | |
|             Write-Host "To disconnect from the MsolService close the powershell session or wait for the session to expire."
 | |
|             return $Report | Select-Object UserPrincipalName, DisplayName, MFAState, MFADefaultMethod, MFAPhoneNumber, PrimarySMTP, Aliases, isLicensed | Sort-Object UserPrincipalName
 | |
|         }
 | |
|         else {
 | |
|             Write-Host "You must first install MSOL using:`nInstall-Module MSOnline -Scope CurrentUser -Force"
 | |
|         }
 | |
|     }
 | |
| }
 |