Filip Kasaj

I can act how I want, but I can't want what I want.

User Tools

Site Tools

Trace: mfareport
technet:msgraph:mfareport

How to Report Azure AD Admin Accounts Not Protected by MFA 

  1. # ReportMFAStatusAdmins.PS1
  2. # 
  3. # Uses https://docs.microsoft.com/en-us/graph/api/userregistrationdetails-get
  4. # Example of how to use the User Registration Details API to report admin accounts that are not MFA-enabled.
  5. # https://github.com/12Knocksinna/Office365itpros/blob/master/ReportMFAStatusAdmins.PS1
  6.  
  7. Connect-MgGraph -Scopes UserAuthenticationMethod.Read.All, AuditLog.Read.All
  8. Select-MgProfile -Beta
  9. Write-Host "Retrieving information about users holding Microsoft 365 administratrive roles"
  10. $AdminRoleHolders = [System.Collections.Generic.List[Object]]::new() 
  11. [array]$AdminRoles = Get-MgDirectoryRole | Select-Object DisplayName, Id
  12. ForEach ($Role in $AdminRoles) {
  13.     [array]$RoleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $Role.Id | ? {$_.AdditionalProperties."@odata.type" -eq "#microsoft.graph.user"}
  14.     ForEach ($Member in $RoleMembers) {
  15.       $UserDetails = Get-MgUser -UserId $Member.Id
  16.       $ReportLine  = [PSCustomObject] @{   
  17.          User   = $UserDetails.UserPrincipalName
  18.          Id     = $UserDetails.Id
  19.          Role   = $Role.DisplayName
  20.          RoleId = $Role.Id }
  21.      $AdminRoleHolders.Add($ReportLine) }
  22. }
  23. $AdminRoleHolders = $AdminRoleHolders | Sort User
  24. $Unique = $AdminRoleHolders | Sort User -Unique
  25.  
  26. # Create a slightly different report where each user has their assigned roles in one record
  27. $UniqueAdminRoleHolders = [System.Collections.Generic.List[Object]]::new() 
  28.    ForEach($User in $Unique) {
  29.      $Records = $AdminRoleHolders | ? {$_.id -eq $User.Id}
  30.      $AdminRoles = $Records.Role -join ", "
  31.      $ReportLine  = [PSCustomObject] @{  
  32.         Id      = $User.Id 
  33.         User    = $User.User
  34.         Roles   = $AdminRoles }
  35.     $UniqueAdminRoleHolders.Add($ReportLine)
  36. }
  37. Write-Host ("There are {0} user accounts holding Microsoft 365 administrative roles." -f $UniqueAdminRoleHolders.count)
  38.  
  39. Write-Host "Scanning for MFA status"
  40. # Retrieve member accounts that are licensed
  41. [array]$Users = Get-MgUser -Filter "assignedLicenses/`$count ne 0 and userType eq 'Member'" -ConsistencyLevel eventual -CountVariable Records -All
  42.  
  43. $UserRegistrationDetails = [System.Collections.Generic.List[Object]]::new() 
  44. ForEach ($User in $Users) {
  45.    Write-Host ("Checking admin roles and MFA status for {0}" -f $User.DisplayName)
  46.    $Uri = "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails/" + $User.Id
  47.    $AccessMethodData = Invoke-MgGraphRequest -Uri $Uri -Method Get
  48.    # Check if Admin
  49.    $AdminAccount = $False; $AdminRolesHeld = $Null
  50.    If ($user.id -in $UniqueAdminRoleHolders.Id) { 
  51.       $AdminAccount = $True
  52.       $AdminRolesHeld = ($UniqueAdminRoleHolders | ? {$_.Id -eq $User.Id} | Select -ExpandProperty Roles) }
  53.    $ReportLine  = [PSCustomObject] @{ 
  54.       User             = $User.Displayname
  55.       Id               = $User.Id
  56.       AdminAccount     = $AdminAccount
  57.       AdminRoles       = $AdminRolesHeld
  58.       MfaRegistered    = $AccessMethodData.isMfaRegistered
  59.       defaultMfaMethod = $AccessMethodData.defaultMfaMethod
  60.       isMfaCapable     = $AccessMethodData.isMfaCapable
  61.       Methods          = $AccessMethodData.MethodsRegistered -join ", " }
  62.   $UserRegistrationDetails.Add($ReportLine)
  63. } #End ForEach
  64.  
  65. [Array]$ProblemAdminAccounts = $UserRegistrationDetails | ? {$_.AdminAccount -eq $True -and $_.MfaRegistered -eq $False }
  66. If ($ProblemAdminAccounts) {
  67.    Cls
  68.    Write-Host "The following accounts have administrative roles and are not enabled for MFA."
  69.    Write-Host "-----------------------------------------------------------------------------"
  70.    Write-Host ""
  71.    $ProblemAdminAccounts | Select User, AdminRoles
  72. }
  73.  
  74. $UserRegistrationDetails | Export-Excel -Path c:\temp\UserRegistrationDetails.xlsx
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
technet/msgraph/mfareport.txt · Last modified: 2023/06/14 09:43 by A User Not Logged in