From 236a9818580e85fcbcc1fc8c3e2ada2c1f77f4e0 Mon Sep 17 00:00:00 2001 From: AdminDroid <49208841+admindroid-community@users.noreply.github.com> Date: Tue, 25 Apr 2023 19:04:33 +0530 Subject: [PATCH] =?UTF-8?q?Export=20Office=20365=20Users=E2=80=99=20Last?= =?UTF-8?q?=20Password=20Change=20Date=20using=20MS=20Graph?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Export Office 365 Users’ Last Password Change Date using MS Graph --- .../PasswordExpiryReport.ps1 | 230 +++++++++++++++++ .../PwdExpiryReport.ps1 | 233 ------------------ 2 files changed, 230 insertions(+), 233 deletions(-) create mode 100644 Office 365 Password Expiry Report/PasswordExpiryReport.ps1 delete mode 100644 Office 365 Password Expiry Report/PwdExpiryReport.ps1 diff --git a/Office 365 Password Expiry Report/PasswordExpiryReport.ps1 b/Office 365 Password Expiry Report/PasswordExpiryReport.ps1 new file mode 100644 index 0000000..60c1028 --- /dev/null +++ b/Office 365 Password Expiry Report/PasswordExpiryReport.ps1 @@ -0,0 +1,230 @@ +<# +============================================================================================= +Name: Export Office 365 Users’ Last Password Change Date using MS Graph +website: o365reports.com +Script by: O365Reports Team +Version: 4.0 +For detailed Script execution: https://o365reports.com/2020/02/17/export-office-365-users-last-password-change-date-to-csv +============================================================================================ +#> +Param +( + [Parameter(Mandatory = $false)] + [switch]$PwdNeverExpires, + [switch]$PwdExpired, + [switch]$LicensedUserOnly, + [int]$SoonToExpire, + [int]$RecentPwdChanges, + [switch]$EnabledUsersOnly, + [string]$TenantId, + [string]$ClientId, + [string]$CertificateThumbprint +) + +$MsGraphModule = Get-Module Microsoft.Graph -ListAvailable +if($MsGraphModule -eq $null) +{ + Write-host "Important: Microsoft graph module is unavailable. It is mandatory to have this module installed in the system to run the script successfully." + $confirm = Read-Host Are you sure you want to install Microsoft graph module? [Y] Yes [N] No + if($confirm -match "[yY]") + { + Write-host "Installing Microsoft graph module..." + Install-Module Microsoft.Graph -Scope CurrentUser + Write-host "Microsoft graph module is installed in the machine successfully" -ForegroundColor Magenta + } + else + { + Write-host "Exiting. `nNote: Microsoft graph module must be available in your system to run the script" -ForegroundColor Red + Exit + } +} +if(($TenantId -ne "") -and ($ClientId -ne "") -and ($CertificateThumbprint -ne "")) +{ + Connect-MgGraph -TenantId $TenantId -AppId $ClientId -CertificateThumbprint $CertificateThumbprint -ErrorAction SilentlyContinue -ErrorVariable ConnectionError|Out-Null + if($ConnectionError -ne $null) + { + Write-Host $ConnectionError -Foregroundcolor Red + Exit + } +} +else +{ + Connect-MgGraph -Scopes "Directory.Read.All" -ErrorAction SilentlyContinue -Errorvariable ConnectionError |Out-Null + if($ConnectionError -ne $null) + { + Write-Host "$ConnectionError" -Foregroundcolor Red + Exit + } +} +Write-Host "Microsoft Graph Powershell module is connected successfully" -ForegroundColor Green +Select-MgProfile beta + +$UserCount = 0 +$PrintedUser = 0 +$Result = "" +$PwdPolicy=@{} +#Output file declaration +$ExportCSV = ".\PasswordExpiryReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" + +#Getting Password policy for the domain +$Domains = Get-MgDomain #-Status Verified +foreach($Domain in $Domains) +{ + #Check for federated domain + if($Domain.AuthenticationType -eq "Federated") + { + $PwdValidity = 0 + } + else + { + $PwdValidity = $Domain.PasswordValidityPeriodInDays + if($PwdValidity -eq $null) + { + $PwdValidity = 90 + } + } + $PwdPolicy.Add($Domain.Id,$PwdValidity) +} +Write-Host Generating report... -ForegroundColor Magenta +#Loop through each user +Get-MgUser -All -Property DisplayName,UserPrincipalName,LastPasswordChangeDateTime,PasswordPolicies,AssignedLicenses,AccountEnabled | foreach{ + $UPN = $_.UserPrincipalName + $DisplayName = $_.DisplayName + [boolean]$Federated = $false + $UserCount++ + #Remove external users + if($UPN -like "*#EXT#*") + { + return + } + $PwdLastChange = $_.LastPasswordChangeDateTime + $PwdPolicies = $_.PasswordPolicies + $LicenseStatus = $_.AssignedLicenses + $Print = 0 + Write-Progress -Activity "`n Processed user count: $UserCount "`n" Currently Processing: $DisplayName" + if($LicenseStatus -ne $null) + { + $LicenseStatus = "Licensed" + } + else + { + $LicenseStatus = "Unlicensed" + } + if($_.AccountEnabled -eq $true) + { + $AccountStatus = "Enabled" + } + else + { + $AccountStatus = "Disabled" + } + #Finding password validity period for user + $UserDomain= $UPN -Split "@" | Select-Object -Last 1 + $PwdValidityPeriod=$PwdPolicy[$UserDomain] + #Check for Pwd never expires set from pwd policy + if([int]$PwdValidityPeriod -eq 2147483647) + { + $PwdNeverExpire = $true + $PwdExpireIn = "Never Expires" + $PwdExpiryDate = "-" + $PwdExpiresIn = "-" + } + elseif($PwdValidityPeriod -eq 0) #Users from federated domain + { + $Federated = $true + $PwdExpireIn = "Insufficient data in O365" + $PwdExpiryDate = "-" + $PwdExpiresIn = "-" + } + elseif($PwdPolicies -eq "none" -or $PwdPolicies -eq "DisableStrongPassword") #Check for Pwd never expires set from Set-MsolUser + { + $PwdExpiryDate = $PwdLastChange.AddDays($PwdValidityPeriod) + $PwdExpiresIn = (New-TimeSpan -Start (Get-Date) -End $PwdExpiryDate).Days + if($PwdExpiresIn -gt 0) + { + $PwdExpireIn = "Will expire in $PwdExpiresIn days" + } + elseif($PwdExpiresIn -lt 0) + { + #Write-host `n $PwdExpiresIn + $PwdExpireIn = $PwdExpiresIn * (-1) + #Write-Host ************$pwdexpiresin + $PwdExpireIn = "Expired $PwdExpireIn days ago" + } + else + { + $PwdExpireIn = "Today" + } + } + else + { + $PwdExpireIn = "Never Expires" + $PwdExpiryDate = "-" + $PwdExpiresIn = "-" + } + #Calculating Password since last set + $PwdSinceLastSet = (New-TimeSpan -Start $PwdLastChange).Days + #Filter for enabled users + if(($EnabledUsersOnly.IsPresent) -and ($_.AccountEnabled -eq $false)) + { + return + } + #Filter for user with Password nerver expires + if(($PwdNeverExpires.IsPresent) -and ($PwdExpireIn -ne "Never Expires")) + { + return + } + + #Filter for password expired users + if(($PwdExpired.IsPresent) -and (($PwdExpiresIn -ge 0) -or ($PwdExpiresIn -eq "-"))) + { + return + } + + #Filter for licensed users + if(($LicensedUserOnly.IsPresent) -and ($LicenseStatus -eq "Unlicensed")) + { + return + } + + #Filter for soon to expire pwd users + if(($SoonToExpire -ne "") -and (($PwdExpiryDate -eq "-") -or ($SoonToExpire -lt $PwdExpiresIn) -or ($PwdExpiresIn -lt 0))) + { + return + } + + #Filter for recently password changed users + if(($RecentPwdChanges -ne "") -and ($PwdSinceLastSet -gt $RecentPwdChanges)) + { + return + } + if($Federated -eq $true) + { + $PwdExpiryDate = "Insufficient data in O365" + $PwdExpiresIn = "Insufficient data in O365" + } + $PrintedUser++ + #Export result to csv + $Result = [PSCustomObject]@{'Display Name'=$_.DisplayName;'User Principal Name'=$UPN;'Pwd Last Change Date'=$PwdLastChange;'Days since Pwd Last Set'=$PwdSinceLastSet;'Pwd Expiry Date'=$PwdExpiryDate;'Friendly Expiry Time'=$PwdExpireIn ;'License Status'=$LicenseStatus;'Days since Expiry(-) / Days to Expiry(+)'=$PwdExpiresIn;'Account Status'=$AccountStatus} + $Result | Export-Csv -Path $ExportCSV -Notype -Append +} +if($UserCount -eq 0) +{ + Write-Host No records found +} +else +{ + Write-Host "`nThe output file contains " -NoNewline + Write-Host $PrintedUser users. -ForegroundColor Green + if((Test-Path -Path $ExportCSV) -eq "True") + { + Write-Host `nThe Output file available in $ExportCSV -ForegroundColor Green + $Prompt = New-Object -ComObject wscript.shell + $UserInput = $Prompt.popup("Do you want to open output file?",` 0,"Open Output File",4) + if ($UserInput -eq 6) + { + Invoke-Item "$ExportCSV" + } + } +} +Disconnect-MgGraph | Out-Null \ No newline at end of file diff --git a/Office 365 Password Expiry Report/PwdExpiryReport.ps1 b/Office 365 Password Expiry Report/PwdExpiryReport.ps1 deleted file mode 100644 index 01d7a34..0000000 --- a/Office 365 Password Expiry Report/PwdExpiryReport.ps1 +++ /dev/null @@ -1,233 +0,0 @@ -<# -============================================================================================= -Name: Export Office 365 Users’ Last Password Change Date to CSV -website: o365reports.com -Script by: O365Reports Team -For detailed Script execution: https://o365reports.com/2020/02/17/export-office-365-users-last-password-change-date-to-csv -============================================================================================ -#> -Param -( - [Parameter(Mandatory = $false)] - [switch]$PwdNeverExpires, - [switch]$PwdExpired, - [switch]$LicensedUserOnly, - [int]$SoonToExpire, - [int]$RecentPwdChanges, - [switch]$EnabledUsersOnly, - [string]$UserName, - [string]$Password -) - -#Check for MSOnline module -$Module=Get-Module -Name MSOnline -ListAvailable -if($Module.count -eq 0) -{ - Write-Host MSOnline module is not available -ForegroundColor yellow - $Confirm= Read-Host Are you sure you want to install module? [Y] Yes [N] No - if($Confirm -match "[yY]") - { - Install-Module MSOnline - Import-Module MSOnline - } - else - { - Write-Host MSOnline module is required to connect AzureAD.Please install module using Install-Module MSOnline cmdlet. - Exit - } -} - -#Storing credential in script for scheduling purpose/ Passing credential as parameter -if(($UserName -ne "") -and ($Password -ne "")) -{ - $SecuredPassword = ConvertTo-SecureString -AsPlainText $Password -Force - $Credential = New-Object System.Management.Automation.PSCredential $UserName,$SecuredPassword - Connect-MsolService -Credential $credential -} -else -{ - Connect-MsolService | Out-Null -} - -$Result="" -$PwdPolicy=@{} -$Results=@() -$UserCount=0 -$PrintedUser=0 - -#Output file declaration -$ExportCSV=".\PasswordExpiryReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" - -#Getting Password policy for the domain -$Domains=Get-MsolDomain #-Status Verified -foreach($Domain in $Domains) -{ - #Check for federated domain - if($Domain.Authentication -eq "Federated") - { - $PwdValidity=0 - } - else - { - $PwdValidity=(Get-MsolPasswordPolicy -DomainName $Domain.Name -ErrorAction SilentlyContinue ).ValidityPeriod - if($PwdValidity -eq $null) - { - $PwdValidity=90 - } - } - $PwdPolicy.Add($Domain.name,$PwdValidity) -} - Write-Host Generating report... -#Loop through each user -Get-MsolUser -All | foreach{ - $UPN=$_.UserPrincipalName - $DisplayName=$_.DisplayName - [boolean]$Federated=$false - $UserCount++ - #Remove external users - if($UPN -like "*#EXT#*") - { - return - } - - $PwdLastChange=$_.LastPasswordChangeTimestamp - $PwdNeverExpire=$_.PasswordNeverExpires - $LicenseStatus=$_.isLicensed - $Print=0 - Write-Progress -Activity "`n Processed user count: $UserCount "`n" Currently Processing: $DisplayName" - if($LicenseStatus -eq $true) - { - $LicenseStatus="Licensed" - } - else - { - $LicenseStatus="Unlicensed" - } - - if($_.BlockCredential -eq $true) - { - $AccountStatus="Disabled" - } - else - { - $AccountStatus="Enabled" - } - - #Finding password validity period for user - $UserDomain= $UPN -Split "@" | Select-Object -Last 1 - $PwdValidityPeriod=$PwdPolicy[$UserDomain] - - #Check for Pwd never expires set from pwd policy - if([int]$PwdValidityPeriod -eq 2147483647) - { - $PwdNeverExpire=$true - $PwdExpireIn="Never Expires" - $PwdExpiryDate="-" - $PwdExpiresIn="-" - } - elseif($PwdValidityPeriod -eq 0) #Users from federated domain - { - $Federated=$true - $PwdExpireIn="Insufficient data in O365" - $PwdExpiryDate="-" - $PwdExpiresIn="-" - } - elseif($PwdNeverExpire -eq $False) #Check for Pwd never expires set from Set-MsolUser - { - $PwdExpiryDate=$PwdLastChange.AddDays($PwdValidityPeriod) - $PwdExpiresIn=(New-TimeSpan -Start (Get-Date) -End $PwdExpiryDate).Days - if($PwdExpiresIn -gt 0) - { - $PwdExpireIn= "in $PwdExpiresIn days" - } - elseif($PwdExpiresIn -lt 0) - { - #Write-host `n $PwdExpiresIn - $PwdExpireIn =$PwdExpiresIn * (-1) - #Write-Host ************$pwdexpiresin - $PwdExpireIn="$PwdExpireIn days ago" - } - else - { - $PwdExpireIn="Today" - } - } - else - { - $PwdExpireIn="Never Expires" - $PwdExpiryDate="-" - $PwdExpiresIn="-" - } - - #Calculating Password since last set - $PwdSinceLastSet=(New-TimeSpan -Start $PwdLastChange).Days - - #Filter for enabled users - if(($EnabledUsersOnly.IsPresent) -and ($AccountStatus -eq "Disabled")) - { - return - } - - #Filter for user with Password nerver expires - if(($PwdNeverExpires.IsPresent) -and ($PwdNeverExpire -eq $false)) - { - return - } - - #Filter for password expired users - if(($pwdexpired.IsPresent) -and (($PwdExpiresIn -ge 0) -or ($PwdExpiresIn -eq "-"))) - { - return - } - - #Filter for licensed users - if(($LicensedUserOnly.IsPresent) -and ($LicenseStatus -eq "Unlicensed")) - { - return - } - - #Filter for soon to expire pwd users - if(($SoonToExpire -ne "") -and (($PwdExpiryDate -eq "-") -or ([int]$SoonToExpire -lt $PwdExpiresIn) -or ($PwdExpiresIn -lt 0))) - { - return - } - - #Filter for recently password changed users - if(($RecentPwdChanges -ne "") -and ($PwdSinceLastSet -gt $RecentPwdChanges)) - { - return - } - - if($Federated -eq $true) - { - $PwdExpiryDate="Insufficient data in O365" - $PwdExpiresIn="Insufficient data in O365" - } - - $PrintedUser++ - - #Export result to csv - $Result=@{'Display Name'=$DisplayName;'User Principal Name'=$upn;'Pwd Last Change Date'=$PwdLastChange;'Days since Pwd Last Set'=$PwdSinceLastSet;'Pwd Expiry Date'=$PwdExpiryDate;'Days since Expiry(-) / Days to Expiry(+)'=$PwdExpiresIn ;'Friendly Expiry Time'=$PwdExpireIn;'License Status'=$LicenseStatus;'Account Status'=$AccountStatus} - $Results= New-Object PSObject -Property $Result - $Results | Select-Object 'Display Name','User Principal Name','Pwd Last Change Date','Days since Pwd Last Set','Pwd Expiry Date','Friendly Expiry Time','License Status','Days since Expiry(-) / Days to Expiry(+)','Account Status' | Export-Csv -Path $ExportCSV -Notype -Append -} - -If($UserCount -eq 0) -{ - Write-Host No records found -} -else -{ - Write-Host `nThe output file contains $PrintedUser users. - if((Test-Path -Path $ExportCSV) -eq "True") - { - Write-Host `nThe Output file available in $ExportCSV -ForegroundColor Green - $Prompt = New-Object -ComObject wscript.shell - $UserInput = $Prompt.popup("Do you want to open output file?",` - 0,"Open Output File",4) - If ($UserInput -eq 6) - { - Invoke-Item "$ExportCSV" - } - } -}