From 97826ff919d780b98f2e05f6b1e7f4ec39433c49 Mon Sep 17 00:00:00 2001 From: AdminDroid <49208841+admindroid-community@users.noreply.github.com> Date: Wed, 27 Apr 2022 18:43:33 +0530 Subject: [PATCH] Enable MFA for Admin Users Enable MFA for Admin Users --- .../EnableMFAforAdmins.ps1 | 138 ++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 Enable MFA for Admin Users/EnableMFAforAdmins.ps1 diff --git a/Enable MFA for Admin Users/EnableMFAforAdmins.ps1 b/Enable MFA for Admin Users/EnableMFAforAdmins.ps1 new file mode 100644 index 0000000..e617620 --- /dev/null +++ b/Enable MFA for Admin Users/EnableMFAforAdmins.ps1 @@ -0,0 +1,138 @@ +<# +============================================================================================= +Name: Enable MFA for all Office 365 admins +Version: 1.0 +Website: m365scripts.com +Script by: M365Scripts Team +For detailed script execution: https://m365scripts.com/security/enabling-mfa-for-admins-using-powershell/ +============================================================================================ +#> + + + + +#PARAMETERS +param ( +[String] $UserName = $null, +[String] $Password = $null, +[Switch] $LicensedAdminsOnly +) + +#Check for Module Availability +$MsOnline = (Get-Module MsOnline -ListAvailable).Name +if($MsOnline -eq $null) +{ + Write-Host "Important: Module MsOnline is unavailable. It is mandatory to have this module installed in the system to run the script successfully." + $Confirm = Read-Host Are you sure you want to install module? [Y] Yes [N] No + if($Confirm -match "[yY]") + { + Write-Host "Installing MsOnline module..." + Install-Module MsOnline -Repository PsGallery -Force -AllowClobber + Write-Host "Required Module is installed in the machine Successfully" -ForegroundColor Magenta + } + else + { + Write-Host "Exiting. `nNote: MsOnline module must be available in your system to run the script" + Exit + } +} + + +#Importing Module by default will avoid the cmdlet unrecognized error +Import-Module MsOnline -Force + +#CONNECTING TO MSOLSERVICE....... +Write-Host "Connecting to Msolservice..." +if(($UserName -ne "") -and ($Password -ne "")) +{ + $SecuredPassword = ConvertTo-SecureString -AsPlainText $Password -Force + $Credential = New-Object System.Management.Automation.PSCredential $UserName,$SecuredPassword + Connect-MsolService -Credential $Credential +} +else +{ + Connect-MsolService +} + +#Creating Object for Enable MFA +$MultiFactorAuthentication_Object= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement +$MultiFactorAuthentication_Object.RelyingParty = "*" +$MultiFactorAuthentication_Object.State = "Enabled" +$MultiFactorAuthentication = @($MultiFactorAuthentication_Object) + + +#Separating Admin without MFA And Enable MFA for them +Write-Host "Preparing Admin Without MFA List And Enable MFA for them..." +$OutputCsv=".\AdminsWithoutMFAReport_$((Get-Date -format MMM-dd` hh-mm` tt).ToString()).csv" +$global:CountForSuccess = 0 +$global:CountForFailed = 0 + + +#function for enable MFA for Admins +function EnableMFAforadmin +{ + $AdminName = $User.DisplayName + $LicensedStatus = if($User.isLicensed) { "Licensed" } else { "UnLicensed" } + + try + { + Set-MsolUser -UserPrincipalName $User.userprincipalname -StrongAuthenticationRequirements $MultiFactorAuthentication -ErrorAction Stop + $global:CountForSuccess++ + $MFAstatus = "MFA successfully Assigned" + } + catch + { + $global:CountForFailed++ + $MFAstatus = "Failed To Assign MFA" + } + $User = @{'Admin Name'=$AdminName;'UPN' =$User.UserPrincipalName;'Roles'=($Roles.Name)-join',';'License Status'=$LicensedStatus;'MFA Status'=$MFAstatus} + $ExportUser = New-Object PSObject -Property $User + $ExportUser | Select-Object 'Admin Name','UPN','Roles','License Status','MFA Status' | Export-csv -path $OutputCsv -NoType -Append + Write-Progress -Activity "Updating $Adminname ..." -Status "MFA Successfully Assigned for $CountForSuccess Admins , Failed for $CountForFailed Admins" +} + + + +#Filter Admin User Using MsolUserRole +Get-MsolUser -All | Select UserPrincipalName,DisplayName,StrongAuthenticationRequirements,isLicensed | ForEach-Object { + + $User = $_ + $Roles = (Get-MsolUserRole -UserPrincipalName $User.UserPrincipalName) + if($LicensedAdminsOnly.IsPresent) + { + if($Roles.Name -ne $null -and $User.StrongAuthenticationRequirements.State -eq $null -and $User.IsLicensed -eq $true) + { + EnableMFAforadmin + } + } + else + { + if($Roles.name -ne $null -and $User.StrongAuthenticationRequirements.State -eq $null) + { + EnableMFAforadmin + } + } +} + + +#Display Details about succesfull and failure +if($CountForSuccess -ne 0 -or $CountForFailed -ne 0) + { + Write-Host "MFA Successfully Enabled for $CountForSuccess Admins and MFA Failed for $CountForFailed Admins" + } + else + { + Write-Host "Already All the Admins are enabled MFA" + } + + +#Open output file after execution +if((Test-Path -Path $OutputCsv) -eq "True") { + Write-Host "The Output file availble in $outputCsv" -ForegroundColor Green + $Prompt = New-Object -ComObject wscript.shell + $UserInput = $Prompt.popup("Do you want to open output file?",` 0,"Open Output File",4) + If ($UserInput -eq 6) + { + Invoke-Item "$OutputCSV" + } +} \ No newline at end of file