Last active
August 10, 2023 16:13
-
-
Save darrenjrobinson/8494e03e867becc4eaa32a3883e0123e to your computer and use it in GitHub Desktop.
Azure AD Authentication Methods Summary Reports using Microsoft Graph and PowerShell. Associated Blogpost https://blog.darrenjrobinson.com/azure-ad-authentication-methods-summary-reports-using-microsoft-graph-and-powershell/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function DelegatedAuthN { | |
<# | |
.SYNOPSIS | |
Authenticate to Azure AD (using Delegated Auth) and receieve Access and Refresh Tokens. | |
.DESCRIPTION | |
Authenticate to Azure AD (using Delegated Auth) and receieve Access and Refresh Tokens. | |
.PARAMETER tenantID | |
(required) Azure AD TenantID. | |
.PARAMETER clientID | |
(required) ClientID of the Azure AD registered application with the necessary permissions. | |
.EXAMPLE | |
AuthN -tenantID '74ea519d-9792-4aa9-86d9-abcdefgaaa' -clientID '1122334c-bad7e-4eef-8a06-1234567890' | |
.LINK | |
http://darrenjrobinson.com/ | |
#> | |
[cmdletbinding()] | |
param( | |
[Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
[string]$tenantID, | |
[Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
[string]$clientID, | |
[Parameter(Mandatory = $false, ValueFromPipeline = $true)] | |
[string]$redirectUri = "https://localhost" | |
) | |
if (!(get-command Get-MsalToken)) { | |
Install-Module -name MSAL.PS -Force -AcceptLicense | |
} | |
try { | |
# Authenticate and Get Tokens | |
$token = Get-MsalToken -ClientId $clientID -TenantId $tenantID -RedirectUri $redirectUri -Authority "https://login.microsoftonline.com/$($tenantID)" -Silent | |
return $token | |
} | |
catch { | |
$_ | |
} | |
} | |
Function GetAADUsersAuthRegisteredByMethod { | |
<# | |
.SYNOPSIS | |
Get AAD Users Authentication Registered by Method. | |
.DESCRIPTION | |
Get AAD Users Authentication Registered by Method. | |
.EXAMPLE | |
GetAADUsersAuthRegisteredByMethod | |
.LINK | |
http://darrenjrobinson.com/ | |
#> | |
[cmdletbinding()] | |
param() | |
# Refresh Access Token | |
$global:myToken = DelegatedAuthN -tenantID $global:myTenantId -clientID $global:myClientID | |
try { | |
$aadOrgUsersRegisteredByMethod = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } ` | |
-Uri "https://graph.microsoft.com/beta/reports/authenticationMethods/usersRegisteredByMethod" ` | |
-Method Get | |
return $aadOrgUsersRegisteredByMethod | |
} | |
catch { | |
$_ | |
} | |
} | |
Function GetAADUsersAuthRegisteredByFeature { | |
<# | |
.SYNOPSIS | |
Get AAD Users Authentication Registered by Feature. | |
.DESCRIPTION | |
Get AAD Users Authentication Registered by Feature. | |
.EXAMPLE | |
GetAADUsersAuthRegisteredByFeature | |
.LINK | |
http://darrenjrobinson.com/ | |
#> | |
[cmdletbinding()] | |
param() | |
# Refresh Access Token | |
$global:myToken = DelegatedAuthN -tenantID $global:myTenantId -clientID $global:myClientID | |
try { | |
$aadOrgUsersRegisteredByFeature = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } ` | |
-Uri "https://graph.microsoft.com/beta/reports/authenticationMethods/usersRegisteredByFeature" ` | |
-Method Get | |
return $aadOrgUsersRegisteredByFeature | |
} | |
catch { | |
$_ | |
} | |
} | |
Function GetAADUsersCredentialUserRegistrationCount { | |
<# | |
.SYNOPSIS | |
Get AAD Users Credential User Registration Count Summary. | |
.DESCRIPTION | |
Get AAD Users Credential User Registration Count Summary. | |
.EXAMPLE | |
GetAADUsersCredentialUserRegistrationCount | |
.LINK | |
http://darrenjrobinson.com/ | |
#> | |
[cmdletbinding()] | |
param() | |
# Refresh Access Token | |
$global:myToken = DelegatedAuthN -tenantID $global:myTenantId -clientID $global:myClientID | |
try { | |
$aadOrgUsersUserRegistrationCount = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } ` | |
-Uri "https://graph.microsoft.com/beta/reports/getCredentialUserRegistrationCount" ` | |
-Method Get | |
return $aadOrgUsersUserRegistrationCount.value | |
} | |
catch { | |
$_ | |
} | |
} | |
Function GetAADUsersCredentialUsageSummary { | |
<# | |
.SYNOPSIS | |
Get AAD Users Credential Usage Summary. | |
.DESCRIPTION | |
Get AAD Users Credential Usage Summary. | |
.PARAMETER period | |
(optional) Period for Summary Report. Valid options are 1, 7 and 30 (days) | |
.EXAMPLE | |
GetAADUsersCredentialUsageSummary -period '7' | |
.LINK | |
http://darrenjrobinson.com/ | |
#> | |
[cmdletbinding()] | |
param( | |
[Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
[ValidateSet("1", "7", "30")] | |
[string]$period | |
) | |
# Refresh Access Token | |
$global:myToken = DelegatedAuthN -tenantID $global:myTenantId -clientID $global:myClientID | |
try { | |
$aadOrgUsersCredentialUsageSummary = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } ` | |
-Uri "https://graph.microsoft.com/beta/reports/getCredentialUsageSummary(period='D$($period)')" ` | |
-Method Get | |
return $aadOrgUsersCredentialUsageSummary.value | |
} | |
catch { | |
$_ | |
} | |
} | |
# Globals | |
# Tenant ID | |
$global:myTenantId = '<Your AAD Tenant ID>' | |
# Registered AAD App ID | |
$global:myClientID = '<Your AAD Registered App Client ID>' | |
# One Time only to authorize access and get an Access and Refresh Token into the local MSAL Cache | |
# Comment out after the one time use (per user profile on the local host running the script) | |
$global:myToken = Get-MsalToken -DeviceCode -ClientId $myClientID -TenantId $myTenantId -RedirectUri "https://localhost" -Authority "https://login.microsoftonline.com/$($global:myTenantId)" | |
$AuthRegisteredByMethod = GetAADUsersAuthRegisteredByMethod | |
$AuthRegisteredByMethod.userRegistrationMethodCounts | |
$AuthRegisteredByFeature = GetAADUsersAuthRegisteredByFeature | |
$AuthRegisteredByFeature | |
$AuthRegisteredByFeature.userRegistrationFeatureCounts | |
$CredentialUserRegistrationCount = GetAADUsersCredentialUserRegistrationCount | |
$CredentialUserRegistrationCount | |
$CredentialUserRegistrationCount.userRegistrationCounts | |
$CredentialUsageSummary = GetAADUsersCredentialUsageSummary -period '30' | |
$CredentialUsageSummary | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment