-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathGet-MfaMethodsperGroup.ps1
105 lines (88 loc) · 5.54 KB
/
Get-MfaMethodsperGroup.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
## Script to Get MFa Methods from User Group in AAD using MGGraph
# AUTHOR:Jorge Lopez ([email protected])
#
# THIS CODE-SAMPLE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR
# FITNESS FOR A PARTICULAR PURPOSE.
#
# This sample is not supported under any Microsoft standard support program or service.
# The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
# implied warranties including, without limitation, any implied warranties of merchantability
# or of fitness for a particular purpose. The entire risk arising out of the use or performance
# of the sample and documentation remains with you. In no event shall Microsoft, its authors,
# or anyone else involved in the creation, production, or delivery of the script be liable for
# any damages whatsoever (including, without limitation, damages for loss of business profits,
# business interruption, loss of business information, or other pecuniary loss) arising out of
# the use of or inability to use the sample or documentation, even if Microsoft has been advised
# of the possibility of such damages.
################################################################################################
$results_List = @()
Select-MgProfile -Name "beta"
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All","Group.Read.All"
$GroupID = 'Group_Object_ID'
$Group_Members = Get-MgGroupMember -groupid $groupID | ForEach-Object { Get-MgUser -UserId $_.Id }
foreach ($User in $Group_Members) {
try {
$DeviceList = Get-MgUserAuthenticationMethod -User $User.Id -ErrorAction Stop
$DeviceOutput = foreach ($Device in $DeviceList) {
#Converting long method to short-hand human readable method type.
switch ($Device.AdditionalProperties["@odata.type"]) {
'#microsoft.graph.microsoftAuthenticatorAuthenticationMethod' {
$MethodAuthType = 'AuthenticatorApp'
$AdditionalProperties = $Device.AdditionalProperties["displayName"]
}
'#microsoft.graph.phoneAuthenticationMethod' {
$MethodAuthType = 'PhoneAuthentication'
$AdditionalProperties = $Device.AdditionalProperties["phoneType", "phoneNumber"] -join ' '
}
'#microsoft.graph.passwordAuthenticationMethod' {
$MethodAuthType = 'PasswordAuthentication'
$AdditionalProperties = $Device.AdditionalProperties["displayName"]
}
'#microsoft.graph.fido2AuthenticationMethod' {
$MethodAuthType = 'Fido2'
$AdditionalProperties = $Device.AdditionalProperties["model"]
}
'#microsoft.graph.windowsHelloForBusinessAuthenticationMethod' {
$MethodAuthType = 'WindowsHelloForBusiness'
$AdditionalProperties = $Device.AdditionalProperties["displayName"]
}
'#microsoft.graph.emailAuthenticationMethod' {
$MethodAuthType = 'EmailAuthentication'
$AdditionalProperties = $Device.AdditionalProperties["emailAddress"]
}
'#microsoft.graph.temporaryAccessPassAuthenticationMethod' {
$MethodAuthType = 'TemporaryAccessPass'
$AdditionalProperties = 'TapLifetime:' + $Device.AdditionalProperties["lifetimeInMinutes"] + 'm - Status:' + $Device.AdditionalProperties["methodUsabilityReason"]
}
'#microsoft.graph.passwordlessMicrosoftAuthenticatorAuthenticationMethod' {
$MethodAuthType = 'Passwordless'
$AdditionalProperties = $Device.AdditionalProperties["displayName"]
}
'#microsoft.graph.softwareOathAuthenticationMethod' {
$MethodAuthType = 'SoftwareOath'
$AdditionalProperties = $Device.AdditionalProperties["displayName"]
}
}
[PSCustomObject]@{
UserPrincipalName = $User.UserPrincipalName
AuthenticationMethodId = $Device.Id
MethodType = $MethodAuthType
AdditionalProperties = $AdditionalProperties
}
}
if ($PSBoundParameters.ContainsKey('MethodType')) {
$DeviceOutput | Where-Object {$_.MethodType -in $MethodType}
} else {
$DeviceOutput
}
} catch {
Write-Error $_.Exception.Message
} finally {
$DeviceList = $null
$MethodAuthType = $null
$AdditionalProperties = $null
}
}
$results_List += $results
$results_List | Export-csv -Path .\UsersStrongAuthMethods.csv