0
votes

The Company I am working at has an audit. I just need the code to see the group Company Administrators in Powershell check and validate if they are enforced with MFA authentication or rather make their status enforced. searched online came up with bits and pieces of the code. pretty new to the Powershell coding so much appreciated if you guys can help with the code I am working as a It Security and Powershell coding is not a part of it

Connect-MsolService
#I think this will get company admins
$role = Get-MsolRole -rolename "Company Administrator"

$rm = Get-MsolRoleMember -roleObjectId $role.ObjectId

#not sure what this code is for

foreach ($c in $rm)
{

Get-MsolUser -UserPrincipalName $c.EmailAddress | Select displayname

} 

Output will be Displayname containing the name UserPrincipalName will be the email addresses of Company Admins and MFA status output will be Enforced

this is the other code

$role = Get-MsolRole -rolename "Company Administrator"
Get-MsolRoleMember -RoleOBjectId $role.ObjectId

Output will display Rolemember type email address Displayname in Ad and if user is Licensed = true or false

thanks if someone will reply to this

1
An EmailAddress is not always the same as the UserPrincipalName. They share the same format, but you can have users with EmailAddress john.doe@somecompany.com that have UserPrincipalName jdoe@somecompany.com. The code should IMO always check using Get-ADUser to obtain the real UserPrincipalName to use with Get-MsolUser and Set-MsolUser. You can also use the ObjectId instead of UserPrincipalName for those cmdlets. P.S. the Get-MsolRoleMember returns an array of role member objects, hence the foreach{..} loop. - Theo

1 Answers

0
votes

I cannot test this myself, so first try it out on a group of test users:

# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Import-Module ActiveDirectory
Connect-MsolService –Credential $cred

# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State        = "Enforced"

# get the members of the group (users only)
Get-ADGroupMember -Identity 'Company Administrators' | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object { 
    # get the UserPrincipalName for this user
    $upn = Get-ADUser $_.SamAccountName | Select-Object -ExpandProperty UserPrincipalName
    $mfa = Get-MsolUser -UserPrincipalName $upn | Select-Object -ExpandProperty StrongAuthenticationRequirements
    if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
        Write-Host "Enforcing MFA for user $upn"
        Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements @($requirement)
    }
    else {
        Write-Host "MFA is already enforced for user $upn"
    }
}

Alternative code using Get-MsolRole and Get-MsolRoleMember

# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred

# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State        = "Enforced"

# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
foreach ($role in $roles) {
    # get the list of members for this role and loop through
    Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
        $mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
        if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
            Write-Host "Enforcing MFA for user $($_.DisplayName)"
            Set-MsolUser -ObjectId $_.ObjectId -StrongAuthenticationRequirements @($requirement)
        }
        else {
            Write-Host "MFA is already enforced for user $($_.DisplayName)"
        }
    }
}


Update

If all you really need is a report of who is in the "Company Administrators" group and their MFA ststus, the code can be much simpler:

# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred

# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
$result = foreach ($role in $roles) {
    # get the list of members for this role and loop through
    Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
        $mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
        if ($mfa.Count -eq 0) { $status = 'Disabled' } else { $status = $mfa[0].State }
        # output an object to be collected in variable $result
        [PsCustomObject]@{
            'UserName'     = $_.DisplayName
            'EmailAddress' = $_.EmailAddress
            'MFA_Status'   = $status
        }
    }
}

# display on screen
$result | Format-Table -AutoSize

#output to a CSV file
$result | Export-Csv -Path 'X:\CompanyAdministrators.csv' -NoTypeInformation -Force