Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PowerShell script to retrieve Azure AD Users Authentication Methods and add them as additional attributes on the User Object. Associated Blogpost https://blog.darrenjrobinson.com/reporting-on-users-azure-ad-authentication-methods-using-microsoft-graph-and-powershell/
Function AuthN {
<#
.SYNOPSIS
Authenticate to Azure AD and receieve Access and Refresh Tokens.
.DESCRIPTION
Authenticate to Azure AD and receieve Access and Refresh Tokens.
.PARAMETER tenantID
(required) Azure AD TenantID.
.PARAMETER credential
(required) ClientID and ClientSecret of the Azure AD registered application with the necessary permissions.
.EXAMPLE
$myCred = Get-Credential
AuthN -credential $myCred -tenantID '74ea519d-9792-4aa9-86d9-abcdefgaaa'
.LINK
http://darrenjrobinson.com/
#>
[cmdletbinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string]$tenantID,
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[System.Management.Automation.PSCredential]$credential
)
if (!(get-command Get-MsalToken)) {
Install-Module -name MSAL.PS -Force -AcceptLicense
}
try {
# Authenticate and Get Tokens
$token = Get-MsalToken -ClientId $credential.UserName -ClientSecret $credential.Password -TenantId $tenantID
return $token
}
catch {
$_
}
}
Function GetAADUsers {
<#
.SYNOPSIS
Get AAD Users.
.DESCRIPTION
Get AAD Users.
.PARAMETER limit
(optional) number of users to limit the results too
.EXAMPLE
GetAADUsers
.EXAMPLE
GetAADUsers -limit 250
.LINK
http://darrenjrobinson.com/
#>
[cmdletbinding()]
param(
[Parameter(Mandatory = $false, ValueFromPipeline = $true)]
[int]$limit
)
# Refresh Access Token
$global:myToken = AuthN -credential $myCred -tenantID $myTenantId
try {
if ($limit) {
if ($limit -gt 999) {
$pageSize = 999
}
else {
$pageSize = $limit
}
# Get AAD Users.
$results = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } `
-Uri "https://graph.microsoft.com/v1.0/users?`$top=$pageSize" `
-Method Get
if ($results.value.count -lt $limit) {
if ($results.'@odata.nextLink') {
$aadUsers += $results.value
# There's more, let's get them
do {
$results = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } `
-Uri $results.'@odata.nextLink' `
-Method Get
$aadUsers += $results.value
} while ($results.'@odata.nextLink' -AND $aadUsers.count -lt $limit)
}
else {
# That's all there is
$aadUsers = $results.value
}
}
else {
$aadUsers = $results.value | Select-Object -First $limit
}
return $aadUsers | Select-Object -First $limit
}
else {
# Get AAD Users.
$results = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } `
-Uri "https://graph.microsoft.com/v1.0/users?`$top=999" `
-Method Get
$aadUsers += $results.value
if ($results.'@odata.nextLink') {
$aadUsers += $results.value
# There's more, let's get them
do {
$results = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } `
-Uri $results.'@odata.nextLink' `
-Method Get
$aadUsers += $results.value
} while ($results.'@odata.nextLink')
}
return $aadUsers
}
}
catch {
$_
}
}
Function GetAuthMethods {
<#
.SYNOPSIS
Get AAD User Authentication Methods.
.DESCRIPTION
Get AAD User Authentication Methods.
.PARAMETER UPN
(required) UPN of the user to retrieve Auth Methods for
.EXAMPLE
GetAuthMethods -UPN darren@darrenjrobinson.com
.LINK
http://darrenjrobinson.com/
#>
[cmdletbinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string]$UPN
)
# Refresh Access Token
$global:myToken = AuthN -credential $myCred -tenantID $myTenantId
try {
# Get AAD User Authentication Methods.
$authMethods = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } `
-Uri "https://graph.microsoft.com/beta/users/$($UPN)/authentication/methods" `
-Method Get
return $authMethods
}
catch {
$_
}
}
# Globals
# Tenant ID
$global:myTenantId = '74ea519d-9792-4aa9-86d9-abcdefgaaa'
# Registered AAD App ID and Secret
$global:myCred = [pscredential]::new("1c29e80e-ec64-43f7-b07a-1324567890", ("UEy9yEnU6vcCLzdZm+123ABC456DEFyjyL2nYQeU=" | ConvertTo-SecureString -AsPlainText -Force))
Import-Module MSAL.PS
<#
Get Users
#>
$users = GetAADUsers -limit 10
foreach ($user in $users) {
$authMethods = GetAuthMethods -UPN $user.userPrincipalName
if ($authMethods.value.count -gt 0) {
$user | Add-Member -Type NoteProperty -Name "authMethods" -Value @($authMethods.value).'@odata.type'.replace("#microsoft.graph.", "")
$authDetails = $authMethods.value
foreach ($authMethod in $authDetails) {
$authMethod.'@odata.type' = $authMethod.'@odata.type'.replace("#microsoft.graph.", "")
}
$user | Add-Member -Type NoteProperty -Name "authMethodsDetail" -Value @($authDetails)
$user | Add-Member -Type NoteProperty -Name "authMethodsCount" -Value $authMethods.value.count
}
}
$users
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment