mirror of
https://github.com/admindroid-community/powershell-scripts.git
synced 2025-12-17 08:25:20 +00:00
238 lines
11 KiB
PowerShell
238 lines
11 KiB
PowerShell
|
<#
|
|||
|
|
=========================================================================================
|
|||
|
|
Name: Reset MFA for Microsoft 365 Users
|
|||
|
|
Version: 1.0
|
|||
|
|
Website: blog.admindroid.com
|
|||
|
|
|
|||
|
|
~~~~~~~~~~~~~~~~~~
|
|||
|
|
Script Highlights:
|
|||
|
|
~~~~~~~~~~~~~~~~~~
|
|||
|
|
1. The script covers 25+ usecases to reset MFA for Microsoft 365 users more granularly.
|
|||
|
|
2. Users scope
|
|||
|
|
- Single user
|
|||
|
|
- Bulk users (inout CSV)
|
|||
|
|
- All users
|
|||
|
|
- Admin accounts
|
|||
|
|
- Guest accounts
|
|||
|
|
- Licensed users
|
|||
|
|
- Disabled users
|
|||
|
|
3. Supported Authentication methods
|
|||
|
|
- Email
|
|||
|
|
- FIDO2
|
|||
|
|
- Microsoft Authenticator
|
|||
|
|
- Phone
|
|||
|
|
- Software OATH
|
|||
|
|
- Temporary Access Pass
|
|||
|
|
- Windows Hello for Business
|
|||
|
|
3. Exports log file.
|
|||
|
|
4. The script supports certificate-based authentication too.
|
|||
|
|
|
|||
|
|
For detailed script execution: https://blog.admindroid.com/reset-mfa-for-microsoft-365-users/
|
|||
|
|
|
|||
|
|
=========================================================================================
|
|||
|
|
#>
|
|||
|
|
Param
|
|||
|
|
(
|
|||
|
|
[Parameter(Mandatory = $false)]
|
|||
|
|
[ValidateSet(
|
|||
|
|
'Email',
|
|||
|
|
'FIDO2',
|
|||
|
|
'Microsoft Authenticator',
|
|||
|
|
'Phone',
|
|||
|
|
'Software OATH',
|
|||
|
|
'Temporary Access Pass',
|
|||
|
|
'Windows Hello for Business'
|
|||
|
|
)]
|
|||
|
|
[string]$ResetMFAMethod,
|
|||
|
|
[string]$UserId,
|
|||
|
|
[string]$CsvFilePath,
|
|||
|
|
[switch]$AllUsers,
|
|||
|
|
[switch]$AdminsOnly,
|
|||
|
|
[switch]$GuestUsersOnly,
|
|||
|
|
[switch]$LicensedUsersOnly,
|
|||
|
|
[switch]$DisabledUsersOnly,
|
|||
|
|
[string]$TenantId,
|
|||
|
|
[string]$ClientId,
|
|||
|
|
[string]$CertificateThumbprint
|
|||
|
|
|
|||
|
|
)
|
|||
|
|
|
|||
|
|
# Function to connect to Microsoft Graph
|
|||
|
|
function Connect_ToMgGraph {
|
|||
|
|
# Check if Microsoft Graph module is installed
|
|||
|
|
$MsGraphModule = Get-Module Microsoft.Graph -ListAvailable
|
|||
|
|
if ($MsGraphModule -eq $null) {
|
|||
|
|
Write-Host "`nImportant: Microsoft Graph module is unavailable. It is mandatory to have this module installed in the system to run the script successfully."
|
|||
|
|
$confirm = Read-Host "Are you sure you want to install Microsoft Graph module? [Y] Yes [N] No"
|
|||
|
|
if ($confirm -match "[yY]") {
|
|||
|
|
Write-Host "Installing Microsoft Graph module..."
|
|||
|
|
Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber
|
|||
|
|
Write-Host "Microsoft Graph module is installed in the machine successfully" -ForegroundColor Magenta
|
|||
|
|
} else {
|
|||
|
|
Write-Host "Exiting. `nNote: Microsoft Graph module must be available in your system to run the script" -ForegroundColor Red
|
|||
|
|
Exit
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
Write-Host "`nConnecting to Microsoft Graph..."
|
|||
|
|
|
|||
|
|
if (($TenantId -ne "") -and ($ClientId -ne "") -and ($CertificateThumbprint -ne "")) {
|
|||
|
|
# Use certificate-based authentication if TenantId, ClientId, and CertificateThumbprint are provided
|
|||
|
|
Connect-MgGraph -TenantId $TenantId -AppId $ClientId -CertificateThumbprint $CertificateThumbprint -NoWelcome
|
|||
|
|
} else {
|
|||
|
|
# Use delegated permissions (Scopes) if credentials are not provided
|
|||
|
|
Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.ReadWrite.All" -NoWelcome
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# Verify connection
|
|||
|
|
if ((Get-MgContext) -ne $null) {
|
|||
|
|
Write-Host "Connected to Microsoft Graph PowerShell using account: $((Get-MgContext).Account)`n"
|
|||
|
|
} else {
|
|||
|
|
Write-Host "Failed to connect to Microsoft Graph." -ForegroundColor Red
|
|||
|
|
Exit
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# Function to log details of authentication method removal
|
|||
|
|
function Log-MFAReset {
|
|||
|
|
param (
|
|||
|
|
[string]$UserId,
|
|||
|
|
[string]$AuthMethodType,
|
|||
|
|
[boolean]$Status
|
|||
|
|
)
|
|||
|
|
$Timestamp = (Get-Date).ToLocalTime()
|
|||
|
|
if ($Status) {
|
|||
|
|
$LogEntry = "$Timestamp - MFA reset for $UserId on $AuthMethodType has been successful."
|
|||
|
|
} else {
|
|||
|
|
$LogEntry = "$Timestamp - MFA reset for $UserId on $AuthMethodType has been failed."
|
|||
|
|
}
|
|||
|
|
Add-Content -Path $LogFilePath -Value $LogEntry
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# Function to reset MFA authentication method for users
|
|||
|
|
function Reset-MFA {
|
|||
|
|
param(
|
|||
|
|
[string]$UserId,
|
|||
|
|
[object[]]$UserAuthenticationDetail
|
|||
|
|
)
|
|||
|
|
|
|||
|
|
$MethodType = $UserAuthenticationDetail.AdditionalProperties['@odata.type']
|
|||
|
|
$FriendlyAuthName = $AuthMethods.Keys | Where-Object { $AuthMethods[$_] -eq $MethodType }
|
|||
|
|
|
|||
|
|
if ($MethodType -eq '#microsoft.graph.passwordAuthenticationMethod' ) { continue }
|
|||
|
|
|
|||
|
|
# Perform removal based on the method type
|
|||
|
|
switch ($MethodType) {
|
|||
|
|
'#microsoft.graph.emailAuthenticationMethod' {
|
|||
|
|
$Script:ResetStatus = Remove-MgUserAuthenticationEmailMethod -UserId $UserId -EmailAuthenticationMethodId $UserAuthenticationDetail.Id -PassThru
|
|||
|
|
}
|
|||
|
|
'#microsoft.graph.fido2AuthenticationMethod' {
|
|||
|
|
$Script:ResetStatus = Remove-MgUserAuthenticationFido2Method -UserId $UserId -Fido2AuthenticationMethodId $UserAuthenticationDetail.Id -PassThru
|
|||
|
|
}
|
|||
|
|
'#microsoft.graph.microsoftAuthenticatorAuthenticationMethod' {
|
|||
|
|
$Script:ResetStatus = Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $UserId -MicrosoftAuthenticatorAuthenticationMethodId $UserAuthenticationDetail.Id -PassThru
|
|||
|
|
}
|
|||
|
|
'#microsoft.graph.phoneAuthenticationMethod' {
|
|||
|
|
$Script:ResetStatus = Remove-MgUserAuthenticationPhoneMethod -UserId $UserId -PhoneAuthenticationMethodId $UserAuthenticationDetail.Id -PassThru
|
|||
|
|
}
|
|||
|
|
'#microsoft.graph.softwareOathAuthenticationMethod' {
|
|||
|
|
$Script:ResetStatus = Remove-MgUserAuthenticationSoftwareOathMethod -UserId $UserId -SoftwareOathAuthenticationMethodId $UserAuthenticationDetail.Id -PassThru
|
|||
|
|
}
|
|||
|
|
'#microsoft.graph.temporaryAccessPassAuthenticationMethod' {
|
|||
|
|
$Script:ResetStatus = Remove-MgUserAuthenticationTemporaryAccessPassMethod -UserId $UserId -TemporaryAccessPassAuthenticationMethodId $UserAuthenticationDetail.Id -PassThru
|
|||
|
|
}
|
|||
|
|
'#microsoft.graph.windowsHelloForBusinessAuthenticationMethod' {
|
|||
|
|
$Script:ResetStatus = Remove-MgUserAuthenticationWindowsHelloForBusinessMethod -UserId $UserId -WindowsHelloForBusinessAuthenticationMethodId $UserAuthenticationDetail.Id -PassThru
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# Log the MFA reset based on the MFA reset status
|
|||
|
|
Log-MFAReset -UserId $UserId -AuthMethodType $FriendlyAuthName -Status $Script:ResetStatus
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# Function to call reset MFA for each users in array
|
|||
|
|
function Reset-MfaForUsers {
|
|||
|
|
param(
|
|||
|
|
[string[]]$Users,
|
|||
|
|
[string]$SpecificAuthMethod
|
|||
|
|
)
|
|||
|
|
|
|||
|
|
$AuthMethods = @{
|
|||
|
|
"Email" = "#microsoft.graph.emailAuthenticationMethod";
|
|||
|
|
"FIDO2" = "#microsoft.graph.fido2AuthenticationMethod";
|
|||
|
|
"Microsoft Authenticator" = "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod";
|
|||
|
|
"Phone" = "#microsoft.graph.phoneAuthenticationMethod";
|
|||
|
|
"Password" = "#microsoft.graph.passwordAuthenticationMethod";
|
|||
|
|
"Software OATH" = "#microsoft.graph.softwareOathAuthenticationMethod";
|
|||
|
|
"Temporary Access Pass" = "#microsoft.graph.temporaryAccessPassAuthenticationMethod";
|
|||
|
|
"Windows Hello for Business" = "#microsoft.graph.windowsHelloForBusinessAuthenticationMethod"
|
|||
|
|
}
|
|||
|
|
foreach ($User in $Users) {
|
|||
|
|
if (-not [string]::IsNullOrEmpty($SpecificAuthMethod)) {
|
|||
|
|
$UserAuthenticationDetails = Get-MgUserAuthenticationMethod -UserId $User | Select-Object Id, AdditionalProperties | Where-Object { $_.AdditionalProperties['@odata.type'] -eq $AuthMethods[$SpecificAuthMethod] }
|
|||
|
|
} else {
|
|||
|
|
$UserAuthenticationDetails = Get-MgUserAuthenticationMethod -UserId $User | Select-Object Id, AdditionalProperties
|
|||
|
|
}
|
|||
|
|
foreach ($UserAuthenticationDetail in $UserAuthenticationDetails) {
|
|||
|
|
$Script:ResetStatus = $false
|
|||
|
|
Reset-MFA -UserId $User -UserAuthenticationDetail $UserAuthenticationDetail
|
|||
|
|
if (!$Script:ResetStatus) {
|
|||
|
|
Reset-MFA -UserId $User -UserAuthenticationDetail $UserAuthenticationDetail
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# Connecting to the Microsoft Graph PowerShell Module
|
|||
|
|
Connect_ToMgGraph
|
|||
|
|
|
|||
|
|
# Define log file path and get users
|
|||
|
|
$LogFilePath = "$(Get-Location)\MFA_Reset_Log_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm-ss` tt).ToString()).txt"
|
|||
|
|
$Users = Get-MgUser -All -Property AccountEnabled, AssignedLicenses, UserType, UserPrincipalName | Select-Object -Property AccountEnabled, AssignedLicenses, UserType, UserPrincipalName
|
|||
|
|
|
|||
|
|
|
|||
|
|
if (-not [string]::IsNullOrEmpty($CsvFilePath)) {
|
|||
|
|
# Load users from the CSV file
|
|||
|
|
$Users = Import-CSV -Path $CsvFilePath
|
|||
|
|
$Users.Name | ForEach-Object { Reset-MfaForUsers -Users $_ -SpecificAuthMethod $ResetMFAMethod }
|
|||
|
|
}
|
|||
|
|
elseif (-not [string]::IsNullOrEmpty($UserId)) {
|
|||
|
|
Reset-MfaForUsers -Users $UserId -SpecificAuthMethod $ResetMFAMethod
|
|||
|
|
}
|
|||
|
|
elseif (!$DisabledUsersOnly -and !$LicensedUsersOnly -and !$GuestUsersOnly -and !$AdminsOnly -and !$AllUsers) {
|
|||
|
|
$UserId = Read-Host "Enter the User ID or UPN of a User to Reset MFA"
|
|||
|
|
Reset-MfaForUsers -Users $UserId -SpecificAuthMethod $ResetMFAMethod
|
|||
|
|
}
|
|||
|
|
elseif ($AllUsers.IsPresent) {
|
|||
|
|
$Users | ForEach-Object { Reset-MfaForUsers -Users $_.UserPrincipalName -SpecificAuthMethod $ResetMFAMethod }
|
|||
|
|
}
|
|||
|
|
elseif ($DisabledUsersOnly.IsPresent) {
|
|||
|
|
$Users | Where-Object { $_.AccountEnabled -eq $false } | ForEach-Object { Reset-MfaForUsers -Users $_.UserPrincipalName -SpecificAuthMethod $ResetMFAMethod }
|
|||
|
|
}
|
|||
|
|
elseif ($LicensedUsersOnly.IsPresent) {
|
|||
|
|
$Users | Where-Object { $_.AssignedLicenses } | ForEach-Object { Reset-MfaForUsers -Users $_.UserPrincipalName -SpecificAuthMethod $ResetMFAMethod }
|
|||
|
|
}
|
|||
|
|
elseif ($GuestUsersOnly.IsPresent) {
|
|||
|
|
$Users | Where-Object { $_.UserType -eq "Guest" } | ForEach-Object { Reset-MfaForUsers -Users $_.UserPrincipalName -SpecificAuthMethod $ResetMFAMethod }
|
|||
|
|
}
|
|||
|
|
elseif ($AdminsOnly.IsPresent) {
|
|||
|
|
$Users | Where-Object { Get-MgUserTransitiveMemberOfAsDirectoryRole -UserId $_.UserPrincipalName } | ForEach-Object { Reset-MfaForUsers -Users $_.UserPrincipalName -SpecificAuthMethod $ResetMFAMethod }
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
Write-Host `n~~ Script prepared by AdminDroid Community ~~`n -ForegroundColor Green
|
|||
|
|
Write-Host "~~ Check out " -NoNewline -ForegroundColor Green; Write-Host "admindroid.com" -ForegroundColor Yellow -NoNewline; Write-Host " to get access to 1900+ Microsoft 365 reports. ~~" -ForegroundColor Green `n
|
|||
|
|
|
|||
|
|
# Disconnect from Microsoft Graph
|
|||
|
|
Disconnect-MgGraph | Out-Null
|
|||
|
|
|
|||
|
|
if((Test-Path -Path $LogFilePath) -eq "True") {
|
|||
|
|
Write-Host " The MFA reset log file available in: " -NoNewline -ForegroundColor Yellow; Write-Host "$LogFilePath"
|
|||
|
|
$Prompt = New-Object -ComObject wscript.shell
|
|||
|
|
$UserInput = $Prompt.popup("Do you want to open the log file?",` 0,"Open Log File",4)
|
|||
|
|
if ($UserInput -eq 6) {
|
|||
|
|
Invoke-Item "$LogFilePath"
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
else {
|
|||
|
|
Write-Host "`nUser(s) not found or a specific Registration method(s) not configured."
|
|||
|
|
}
|