PowerShell script to retrieve Azure AD Users Authentication Methods and add them as additional attributes on the User Object. Associated Blogpost https://blog.darrenjrobinson.com/reporting-on-users-azure-ad-authentication-methods-using-microsoft-graph-and-powershell/
| Function AuthN { | |
| <# | |
| .SYNOPSIS | |
| Authenticate to Azure AD and receieve Access and Refresh Tokens. | |
| .DESCRIPTION | |
| Authenticate to Azure AD and receieve Access and Refresh Tokens. | |
| .PARAMETER tenantID | |
| (required) Azure AD TenantID. | |
| .PARAMETER credential | |
| (required) ClientID and ClientSecret of the Azure AD registered application with the necessary permissions. | |
| .EXAMPLE | |
| $myCred = Get-Credential | |
| AuthN -credential $myCred -tenantID '74ea519d-9792-4aa9-86d9-abcdefgaaa' | |
| .LINK | |
| http://darrenjrobinson.com/ | |
| #> | |
| [cmdletbinding()] | |
| param( | |
| [Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
| [string]$tenantID, | |
| [Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
| [System.Management.Automation.PSCredential]$credential | |
| ) | |
| if (!(get-command Get-MsalToken)) { | |
| Install-Module -name MSAL.PS -Force -AcceptLicense | |
| } | |
| try { | |
| # Authenticate and Get Tokens | |
| $token = Get-MsalToken -ClientId $credential.UserName -ClientSecret $credential.Password -TenantId $tenantID | |
| return $token | |
| } | |
| catch { | |
| $_ | |
| } | |
| } | |
| Function GetAADUsers { | |
| <# | |
| .SYNOPSIS | |
| Get AAD Users. | |
| .DESCRIPTION | |
| Get AAD Users. | |
| .PARAMETER limit | |
| (optional) number of users to limit the results too | |
| .EXAMPLE | |
| GetAADUsers | |
| .EXAMPLE | |
| GetAADUsers -limit 250 | |
| .LINK | |
| http://darrenjrobinson.com/ | |
| #> | |
| [cmdletbinding()] | |
| param( | |
| [Parameter(Mandatory = $false, ValueFromPipeline = $true)] | |
| [int]$limit | |
| ) | |
| # Refresh Access Token | |
| $global:myToken = AuthN -credential $myCred -tenantID $myTenantId | |
| try { | |
| if ($limit) { | |
| if ($limit -gt 999) { | |
| $pageSize = 999 | |
| } | |
| else { | |
| $pageSize = $limit | |
| } | |
| # Get AAD Users. | |
| $results = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } ` | |
| -Uri "https://graph.microsoft.com/v1.0/users?`$top=$pageSize" ` | |
| -Method Get | |
| if ($results.value.count -lt $limit) { | |
| if ($results.'@odata.nextLink') { | |
| $aadUsers += $results.value | |
| # There's more, let's get them | |
| do { | |
| $results = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } ` | |
| -Uri $results.'@odata.nextLink' ` | |
| -Method Get | |
| $aadUsers += $results.value | |
| } while ($results.'@odata.nextLink' -AND $aadUsers.count -lt $limit) | |
| } | |
| else { | |
| # That's all there is | |
| $aadUsers = $results.value | |
| } | |
| } | |
| else { | |
| $aadUsers = $results.value | Select-Object -First $limit | |
| } | |
| return $aadUsers | Select-Object -First $limit | |
| } | |
| else { | |
| # Get AAD Users. | |
| $results = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } ` | |
| -Uri "https://graph.microsoft.com/v1.0/users?`$top=999" ` | |
| -Method Get | |
| $aadUsers += $results.value | |
| if ($results.'@odata.nextLink') { | |
| $aadUsers += $results.value | |
| # There's more, let's get them | |
| do { | |
| $results = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } ` | |
| -Uri $results.'@odata.nextLink' ` | |
| -Method Get | |
| $aadUsers += $results.value | |
| } while ($results.'@odata.nextLink') | |
| } | |
| return $aadUsers | |
| } | |
| } | |
| catch { | |
| $_ | |
| } | |
| } | |
| Function GetAuthMethods { | |
| <# | |
| .SYNOPSIS | |
| Get AAD User Authentication Methods. | |
| .DESCRIPTION | |
| Get AAD User Authentication Methods. | |
| .PARAMETER UPN | |
| (required) UPN of the user to retrieve Auth Methods for | |
| .EXAMPLE | |
| GetAuthMethods -UPN darren@darrenjrobinson.com | |
| .LINK | |
| http://darrenjrobinson.com/ | |
| #> | |
| [cmdletbinding()] | |
| param( | |
| [Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
| [string]$UPN | |
| ) | |
| # Refresh Access Token | |
| $global:myToken = AuthN -credential $myCred -tenantID $myTenantId | |
| try { | |
| # Get AAD User Authentication Methods. | |
| $authMethods = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } ` | |
| -Uri "https://graph.microsoft.com/beta/users/$($UPN)/authentication/methods" ` | |
| -Method Get | |
| return $authMethods | |
| } | |
| catch { | |
| $_ | |
| } | |
| } | |
| # Globals | |
| # Tenant ID | |
| $global:myTenantId = '74ea519d-9792-4aa9-86d9-abcdefgaaa' | |
| # Registered AAD App ID and Secret | |
| $global:myCred = [pscredential]::new("1c29e80e-ec64-43f7-b07a-1324567890", ("UEy9yEnU6vcCLzdZm+123ABC456DEFyjyL2nYQeU=" | ConvertTo-SecureString -AsPlainText -Force)) | |
| Import-Module MSAL.PS | |
| <# | |
| Get Users | |
| #> | |
| $users = GetAADUsers -limit 10 | |
| foreach ($user in $users) { | |
| $authMethods = GetAuthMethods -UPN $user.userPrincipalName | |
| if ($authMethods.value.count -gt 0) { | |
| $user | Add-Member -Type NoteProperty -Name "authMethods" -Value @($authMethods.value).'@odata.type'.replace("#microsoft.graph.", "") | |
| $authDetails = $authMethods.value | |
| foreach ($authMethod in $authDetails) { | |
| $authMethod.'@odata.type' = $authMethod.'@odata.type'.replace("#microsoft.graph.", "") | |
| } | |
| $user | Add-Member -Type NoteProperty -Name "authMethodsDetail" -Value @($authDetails) | |
| $user | Add-Member -Type NoteProperty -Name "authMethodsCount" -Value $authMethods.value.count | |
| } | |
| } | |
| $users |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment