-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathGet_MFA_User_Status.ps1
More file actions
83 lines (69 loc) · 3.13 KB
/
Get_MFA_User_Status.ps1
File metadata and controls
83 lines (69 loc) · 3.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Get_MFA_User_Status.ps1
# ---------------------------------------------
# This script retrieves the MFA status of users in Microsoft Entra ID
# and exports the results to a CSV file.
# ---------------------------------------------
# Ensure Microsoft Graph is installed
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
Write-Host "Installing Microsoft.Graph module..." -ForegroundColor Yellow
Install-Module Microsoft.Graph -Scope CurrentUser -Force
}
# Define required Graph scopes
$requiredScopes = @(
"User.Read.All",
"Directory.Read.All",
"UserAuthenticationMethod.Read.All"
)
# Connect to Graph with required scopes
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Cyan
Connect-MgGraph -Scopes $requiredScopes
# Confirm login
$context = Get-MgContext
if ($context.Account -and $context.Scopes -contains "UserAuthenticationMethod.Read.All") {
Write-Host "Connected as $($context.Account) with necessary scopes." -ForegroundColor Green
} else {
Write-Warning "Failed to connect with the required scopes."
Exit
}
# Define auth methods that indicate MFA is set up
$authTypesRequiringMFA = @(
"#microsoft.graph.microsoftAuthenticatorAuthenticationMethod",
"#microsoft.graph.fido2AuthenticationMethod",
"#microsoft.graph.phoneAuthenticationMethod",
"#microsoft.graph.softwareOathAuthenticationMethod",
"#microsoft.graph.temporaryAccessPassAuthenticationMethod"
)
Write-Host "Retrieving users from Microsoft Graph..." -ForegroundColor Cyan
$users = Get-MgUser -Filter "accountEnabled eq true" | Select-Object UserPrincipalName, Id
Write-Host ("Found {0} Enabled users. Gathering MFA status, this may take a while..." -f $users.Count) -ForegroundColor Yellow
$userCount = $users.Count
$current = 0
$results = foreach ($user in $users) {
$current++
Write-Host ("Processing user {0}/{1}: {2}" -f $current, $userCount, $user.UserPrincipalName) -ForegroundColor DarkGray
$methods = Get-MgUserAuthenticationMethod -UserId $user.Id
$odataTypes = @()
if ($methods) {
foreach ($m in $methods) {
$type = $m.AdditionalProperties['@odata.type']
if (-not $type) { $type = $m.'@odata.type' }
if ($type) { $odataTypes += $type }
}
}
$hasMfa = $odataTypes | Where-Object { $_ -in $authTypesRequiringMFA }
$cleanedTypes = $odataTypes | ForEach-Object { $_ -replace '^#microsoft\.graph\.' }
[PSCustomObject]@{
User = $user.UserPrincipalName
MFA_Registered = if ($hasMfa) { "Yes" } else { "No" }
Methods = ($cleanedTypes -join ", ")
}
}
${dateStr} = Get-Date -Format 'yyyy-MM-dd'
$csvPath = ".\MFA-Audit-$dateStr.csv"
Write-Host ("Exporting results to {0}..." -f $csvPath) -ForegroundColor Cyan
$results | Export-Csv -Path $csvPath -NoTypeInformation -Encoding UTF8
# Sort the CSV by MFA_Registered, "No" first
$sortedResults = Import-Csv -Path $csvPath | Sort-Object @{Expression='MFA_Registered'; Descending=$false}, @{Expression='User'; Descending=$false}
$sortedResults | Export-Csv -Path $csvPath -NoTypeInformation -Encoding UTF8
Write-Host ("Done! Results saved to {0}" -f $csvPath) -ForegroundColor Green
pause