mirror of
https://github.com/admindroid-community/powershell-scripts.git
synced 2025-12-17 08:25:20 +00:00
Identify MFA Deployment Source
Identify MFA Deployment Source
This commit is contained in:
AdminDroid
parent
511ce47458
commit
16082ed337
@ -1,7 +1,7 @@
|
||||
<#
|
||||
=============================================================================================
|
||||
Name: Identify MFA Deployment Sources in Microsoft 365 Using PowerShell
|
||||
Version: 2.0
|
||||
Version: 3.0
|
||||
website: o365reports.com
|
||||
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
@ -11,7 +11,7 @@ Script Highlights:
|
||||
2. Helps you understand user MFA registration status (registered or not) to plan your MFA rollout campaigns efficiently.
|
||||
3. It specifically identifies MFA sources for external users as well.
|
||||
4. The script checks which Conditional Access policies demand MFA and tells you if users have registered for that MFA method as required by those policies.
|
||||
5. Automatically install the missing required module Microsoft Graph Beta with your confirmation.
|
||||
5. Automatically install the missing required module Microsoft Graph with your confirmation.
|
||||
6. The script can be executed with an MFA-enabled account too.
|
||||
7. Exports report results as a CSV file.
|
||||
8. The script is scheduler-friendly, making it easy to automate.
|
||||
@ -23,6 +23,7 @@ Change Log:
|
||||
V1.0 (Jul 03, 2024) - File created
|
||||
V1.1 (Nov 04, 2024) - Scope updation to resolve permission issue
|
||||
v2.0 (Jun 27, 2025) - Removed MSOnline PowerShell module to retrieve per-user MFA status and used Graph API.
|
||||
v3.0 (Nov 06, 2025) - Upgraded from the 'MS Graph beta module' to Microsoft Graph module and modified to iterate over Policy IDs to find all assigned policies.
|
||||
|
||||
|
||||
For detailed Script execution: : https://o365reports.com/2024/06/26/identity-mfa-deployment-source-in-microsoft-365-using-powershell/
|
||||
@ -38,19 +39,19 @@ param
|
||||
)
|
||||
|
||||
$ErrorActionPreference = "Stop"
|
||||
# Check if Microsoft Graph Beta module is installed
|
||||
$MsGraphModule = Get-Module Microsoft.Graph.Beta -ListAvailable
|
||||
# Check if Microsoft Graph module is installed
|
||||
$MsGraphModule = Get-Module Microsoft.Graph -ListAvailable
|
||||
if($MsGraphModule -eq $null)
|
||||
{
|
||||
Write-host "Important: Microsoft Graph Beta module is unavailable. It is mandatory to have this module installed in the system to run the script successfully."
|
||||
$confirm = Read-Host Are you sure you want to install Microsoft Graph Beta module? [Y] Yes [N] No
|
||||
Write-host "Important: Microsoft Graph module is unavailable. It is mandatory to have this module installed in the system to run the script successfully."
|
||||
$confirm = Read-Host Are you sure you want to install Microsoft Graph module? [Y] Yes [N] No
|
||||
if($confirm -match "[yY]") {
|
||||
Write-host "Installing Microsoft Graph Beta module..."
|
||||
Install-Module Microsoft.Graph.Beta -Scope CurrentUser -AllowClobber
|
||||
Write-host "Microsoft Graph Beta module is installed in the machine successfully" -ForegroundColor Magenta
|
||||
Write-host "Installing Microsoft Graph module..."
|
||||
Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber
|
||||
Write-host "Microsoft Graph module is installed in the machine successfully" -ForegroundColor Magenta
|
||||
}
|
||||
else {
|
||||
Write-host "Exiting. `nNote: Microsoft Graph Beta module must be available in your system to run the script" -ForegroundColor Red
|
||||
Write-host "Exiting. `nNote: Microsoft Graph module must be available in your system to run the script" -ForegroundColor Red
|
||||
Exit
|
||||
}
|
||||
}
|
||||
@ -131,7 +132,7 @@ function Get-UserIdsByRole {
|
||||
foreach ($Role in $Roles) {
|
||||
$DirRole = $DirectoryRole | Where-Object { $_.RoleTemplateId -eq $Role }
|
||||
if ($DirRole) {
|
||||
$RoleMembers = Get-MgBetaDirectoryRoleMember -DirectoryRoleId $DirRole.Id
|
||||
$RoleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $DirRole.Id
|
||||
if ($RoleMembers) {
|
||||
$UserIds += $RoleMembers.Id
|
||||
}
|
||||
@ -168,13 +169,13 @@ else
|
||||
}
|
||||
|
||||
Write-Host "`nRetrieving Entra Users..."
|
||||
$MgUsers = Get-MgBetaUser -All | Sort-Object DisplayName
|
||||
$MgUsers = Get-MgUser -All | Sort-Object DisplayName
|
||||
#Check Security Default is enabled or not
|
||||
$SecurityDefault = (Get-MgBetaPolicyIdentitySecurityDefaultEnforcementPolicy).IsEnabled
|
||||
$DirectoryRole = Get-MgBetaDirectoryRole -All
|
||||
$SecurityDefault = (Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy).IsEnabled
|
||||
$DirectoryRole = Get-MgDirectoryRole -All
|
||||
|
||||
#Get the User Rgistration Details
|
||||
$UserAuthenticationDetail = Get-MgBetaReportAuthenticationMethodUserRegistrationDetail -All | Select-Object UserPrincipalName, MethodsRegistered, IsMFARegistered , Id
|
||||
$UserAuthenticationDetail = Get-MgReportAuthenticationMethodUserRegistrationDetail -All | Select-Object UserPrincipalName, MethodsRegistered, IsMFARegistered , Id
|
||||
$ProcessedUserCount =0
|
||||
|
||||
#check for Security default if disabled start to process the Conditional access policies
|
||||
@ -193,11 +194,16 @@ else
|
||||
$ExcludeUsers = @()
|
||||
$Registered = @()
|
||||
$NotRegistered = @()
|
||||
|
||||
# Use Policy ID as the key for user inclusion and hashtable to map unique Policy ID to Display Name
|
||||
$UsersInPolicy = @{}
|
||||
$PolicyDetails = @{}
|
||||
|
||||
# Get conditional access policies that involve MFA and enabled
|
||||
$Policies = Get-MgBetaIdentityConditionalAccessPolicy -All | Where-Object { ($_.GrantControls.BuiltInControls -contains 'mfa' -or $_.GrantControls.AuthenticationStrength.RequirementsSatisfied -contains 'mfa') -and $_.State -contains 'enabled' }
|
||||
$Policies = Get-MgIdentityConditionalAccessPolicy -All | Where-Object { ($_.GrantControls.BuiltInControls -contains 'mfa' -or $_.GrantControls.AuthenticationStrength.RequirementsSatisfied -contains 'mfa') -and $_.State -contains 'enabled' }
|
||||
$Policy = $Policies | Where-Object { $_.displayname -eq 'Authentication' }
|
||||
$ProcessedPolicyCount = 0
|
||||
|
||||
#Get the External users if it was specified in the policy
|
||||
if($Policies.Conditions.Users.IncludeGuestsOrExternalUsers -ne $null -or $Policies.Conditions.Users.ExcludeGuestsOrExternalUsers -ne $null)
|
||||
{
|
||||
@ -236,11 +242,11 @@ else
|
||||
$LocalGuest = $MgUsers | where-object { $_.ExternalUserState -eq $null -and $_.UserType -eq 'Guest'}
|
||||
|
||||
#B2B Direct connect
|
||||
$Groups = Get-MgBetaTeam -All
|
||||
$Groups = Get-MgTeam -All
|
||||
$B2BDirectConnect = @()
|
||||
ForEach($ExternalUser in $ExternalUsers)
|
||||
{
|
||||
$MemberOfs = Get-MgBetaUserMemberof -UserId $ExternalUser.Id | Where-Object {$_.Id -ne $null}
|
||||
$MemberOfs = Get-MgUserMemberof -UserId $ExternalUser.Id | Where-Object {$_.Id -ne $null}
|
||||
ForEach($MemberOf in $MemberOfs)
|
||||
{
|
||||
if($Groups.Id -contains $MemberOf.Id)
|
||||
@ -252,7 +258,7 @@ else
|
||||
|
||||
}
|
||||
|
||||
#Hash table ofthe Required Authentication Strength with respect to the Registered method
|
||||
#Hash table of the Required Authentication Strength with respect to the Registered method
|
||||
$AllowedCombinations = @{
|
||||
"mobilephone" = @("sms","Password,sms")
|
||||
"alternateMobilePhone" = @("sms","Password,sms")
|
||||
@ -292,17 +298,23 @@ else
|
||||
}
|
||||
if($Check)
|
||||
{
|
||||
$IncludeUsers += if($Policy.Conditions.Users.IncludeGroups){ $Policy.Conditions.Users.IncludeGroups | ForEach-Object { if ($Members = Get-MgBetaGroupMember -GroupId $_) { $Members.Id}if($Owner = Get-MgBetaGroupOwner -GroupId $_){$Owner.Id} } }
|
||||
$IncludeUsers += if($Policy.Conditions.Users.IncludeGroups){ $Policy.Conditions.Users.IncludeGroups | ForEach-Object { if ($Members = Get-MgGroupMember -GroupId $_) { $Members.Id}if($Owner = Get-MgGroupOwner -GroupId $_){$Owner.Id} } }
|
||||
$IncludeUsers += Get-UserIdsByRole -Roles $Policy.Conditions.Users.IncludeRoles -DirectoryRole $DirectoryRole
|
||||
$IncludeUsers += Process-ExternalUsers -ExternalTenantUser $IncludedExternalUser -UsersinTenant $UsersinTenant -B2BGuest $B2BGuest.Id -B2BMember $B2BMember.Id -LocalGuest $LocalGuest.Id -B2BDirectConnect $B2BDirectConnect
|
||||
}
|
||||
$ExcludeUsers = if($Policy.Conditions.Users.ExcludeUsers){$Policy.Conditions.Users.ExcludeUsers}
|
||||
$ExcludeUsers += if($Policy.Conditions.Users.ExcludeGroups){$Policy.Conditions.Users.ExcludeGroups | ForEach-Object { if ($Members = Get-MgBetaGroupMember -GroupId $_) { $Members.Id} if($Owner = Get-MgBetaGroupOwner -GroupId $_){$Owner.Id}}}
|
||||
$ExcludeUsers += if($Policy.Conditions.Users.ExcludeGroups){$Policy.Conditions.Users.ExcludeGroups | ForEach-Object { if ($Members = Get-MgGroupMember -GroupId $_) { $Members.Id} if($Owner = Get-MgGroupOwner -GroupId $_){$Owner.Id}}}
|
||||
$ExcludeUsers += Get-UserIdsByRole -Roles $Policy.Conditions.Users.ExcludeRoles -DirectoryRole $DirectoryRole
|
||||
$ExcludeUsers += Process-ExternalUsers -ExternalTenantUser $ExcludedExternalUser -UsersinTenant $UsersinTenant -B2BGuest $B2BGuest.Id -B2BMember $B2BMember.Id -LocalGuest $LocalGuest.Id -B2BDirectConnect $B2BDirectConnect
|
||||
$ExcludeId += $ExcludeUsers
|
||||
$IncludeId += $IncludeUsers | Where-Object { $_ -notin $ExcludeUsers }
|
||||
$UsersInPolicy[$Policy.DisplayName] += $IncludeUsers | Where-Object { $_ -notin $ExcludeUsers }
|
||||
|
||||
# Use Policy ID as the key for storing included users
|
||||
$UsersInPolicy[$Policy.Id] += $IncludeUsers | Where-Object { $_ -notin $ExcludeUsers }
|
||||
|
||||
# Map the Policy ID to the Policy Display Name
|
||||
$PolicyDetails[$Policy.Id] = $Policy.DisplayName
|
||||
|
||||
if ($Policy.GrantControls.AuthenticationStrength.RequirementsSatisfied -contains 'mfa')
|
||||
{
|
||||
$NotRegistered += $IncludeUsers| Where-Object { $_ -notin $ExcludeUsers }
|
||||
@ -340,7 +352,6 @@ else
|
||||
$ProcessedUserCount = 0
|
||||
$FilePath = ".\MFA_Deployment_Sources_Report_$((Get-Date -format 'yyyy-MMM-dd-ddd hh-mm tt').ToString()).csv"
|
||||
|
||||
#Now starts the Process of Checking various conditions for the users
|
||||
foreach ($User in $MgUsers)
|
||||
{
|
||||
$name = @()
|
||||
@ -352,8 +363,16 @@ foreach ($User in $MgUsers)
|
||||
# Get user authentication details
|
||||
$UserAuthDetails = $UserAuthenticationDetail | Where-Object { $_.UserPrincipalName -eq $User.UserPrincipalName }
|
||||
$MethodsRegistered = if ($UserAuthDetails.MethodsRegistered -ne "") { $UserAuthDetails.MethodsRegistered -join ',' } else { 'None' }
|
||||
$Name += foreach($Pol in $Policies.DisplayName){if($UsersInPolicy[$pol] -contains $user.Id){$Pol}}
|
||||
$PolicyName = $Name -join','
|
||||
|
||||
#Iterate over Policy IDs to find all assigned policies
|
||||
foreach ($PolicyId in $UsersInPolicy.Keys) {
|
||||
if ($UsersInPolicy[$PolicyId] -contains $User.Id) {
|
||||
# Retrieve the policy name using the unique ID
|
||||
$name += $PolicyDetails[$PolicyId]
|
||||
}
|
||||
}
|
||||
$PolicyName = $name -join ','
|
||||
|
||||
$MFAEnforce = @{
|
||||
'User Display Name' = $User.DisplayName
|
||||
'User Principal Name' = $User.UserPrincipalName
|
||||
@ -391,7 +410,7 @@ Disconnect-MgGraph | Out-Null
|
||||
if((Test-Path -Path $FilePath) -eq "True")
|
||||
{
|
||||
Write-Host `n~~ Script prepared by AdminDroid Community ~~`n -ForegroundColor Green
|
||||
Write-Host "~~ Check out " -NoNewline -ForegroundColor Green; Write-Host "admindroid.com" -ForegroundColor Yellow -NoNewline; Write-Host " to get access to 1800+ Microsoft 365 reports. ~~" -ForegroundColor Green `n
|
||||
Write-Host "~~ Check out " -NoNewline -ForegroundColor Green; Write-Host "admindroid.com" -ForegroundColor Yellow -NoNewline; Write-Host " to access 3,000+ reports and 450+ management actions across your Microsoft 365 environment. ~~" -ForegroundColor Green `n
|
||||
Write-Host "Exported report has $ProcessedUserCount user(s)"
|
||||
$Prompt = New-Object -ComObject wscript.shell
|
||||
$UserInput = $Prompt.popup("Do you want to open output file?",` 0,"Open Output File",4)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user