Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Azure AD Authentication Methods Summary Reports using Microsoft Graph and PowerShell. Associated Blogpost https://blog.darrenjrobinson.com/azure-ad-authentication-methods-summary-reports-using-microsoft-graph-and-powershell/
Function DelegatedAuthN {
<#
.SYNOPSIS
Authenticate to Azure AD (using Delegated Auth) and receieve Access and Refresh Tokens.
.DESCRIPTION
Authenticate to Azure AD (using Delegated Auth) and receieve Access and Refresh Tokens.
.PARAMETER tenantID
(required) Azure AD TenantID.
.PARAMETER clientID
(required) ClientID of the Azure AD registered application with the necessary permissions.
.EXAMPLE
AuthN -tenantID '74ea519d-9792-4aa9-86d9-abcdefgaaa' -clientID '1122334c-bad7e-4eef-8a06-1234567890'
.LINK
http://darrenjrobinson.com/
#>
[cmdletbinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string]$tenantID,
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string]$clientID,
[Parameter(Mandatory = $false, ValueFromPipeline = $true)]
[string]$redirectUri = "https://localhost"
)
if (!(get-command Get-MsalToken)) {
Install-Module -name MSAL.PS -Force -AcceptLicense
}
try {
# Authenticate and Get Tokens
$token = Get-MsalToken -ClientId $clientID -TenantId $tenantID -RedirectUri $redirectUri -Authority "https://login.microsoftonline.com/$($tenantID)" -Silent
return $token
}
catch {
$_
}
}
Function GetAADUsersAuthRegisteredByMethod {
<#
.SYNOPSIS
Get AAD Users Authentication Registered by Method.
.DESCRIPTION
Get AAD Users Authentication Registered by Method.
.EXAMPLE
GetAADUsersAuthRegisteredByMethod
.LINK
http://darrenjrobinson.com/
#>
[cmdletbinding()]
param()
# Refresh Access Token
$global:myToken = DelegatedAuthN -tenantID $global:myTenantId -clientID $global:myClientID
try {
$aadOrgUsersRegisteredByMethod = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } `
-Uri "https://graph.microsoft.com/beta/reports/authenticationMethods/usersRegisteredByMethod" `
-Method Get
return $aadOrgUsersRegisteredByMethod
}
catch {
$_
}
}
Function GetAADUsersAuthRegisteredByFeature {
<#
.SYNOPSIS
Get AAD Users Authentication Registered by Feature.
.DESCRIPTION
Get AAD Users Authentication Registered by Feature.
.EXAMPLE
GetAADUsersAuthRegisteredByFeature
.LINK
http://darrenjrobinson.com/
#>
[cmdletbinding()]
param()
# Refresh Access Token
$global:myToken = DelegatedAuthN -tenantID $global:myTenantId -clientID $global:myClientID
try {
$aadOrgUsersRegisteredByFeature = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } `
-Uri "https://graph.microsoft.com/beta/reports/authenticationMethods/usersRegisteredByFeature" `
-Method Get
return $aadOrgUsersRegisteredByFeature
}
catch {
$_
}
}
Function GetAADUsersCredentialUserRegistrationCount {
<#
.SYNOPSIS
Get AAD Users Credential User Registration Count Summary.
.DESCRIPTION
Get AAD Users Credential User Registration Count Summary.
.EXAMPLE
GetAADUsersCredentialUserRegistrationCount
.LINK
http://darrenjrobinson.com/
#>
[cmdletbinding()]
param()
# Refresh Access Token
$global:myToken = DelegatedAuthN -tenantID $global:myTenantId -clientID $global:myClientID
try {
$aadOrgUsersUserRegistrationCount = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } `
-Uri "https://graph.microsoft.com/beta/reports/getCredentialUserRegistrationCount" `
-Method Get
return $aadOrgUsersUserRegistrationCount.value
}
catch {
$_
}
}
Function GetAADUsersCredentialUsageSummary {
<#
.SYNOPSIS
Get AAD Users Credential Usage Summary.
.DESCRIPTION
Get AAD Users Credential Usage Summary.
.PARAMETER period
(optional) Period for Summary Report. Valid options are 1, 7 and 30 (days)
.EXAMPLE
GetAADUsersCredentialUsageSummary -period '7'
.LINK
http://darrenjrobinson.com/
#>
[cmdletbinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateSet("1", "7", "30")]
[string]$period
)
# Refresh Access Token
$global:myToken = DelegatedAuthN -tenantID $global:myTenantId -clientID $global:myClientID
try {
$aadOrgUsersCredentialUsageSummary = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" } `
-Uri "https://graph.microsoft.com/beta/reports/getCredentialUsageSummary(period='D$($period)')" `
-Method Get
return $aadOrgUsersCredentialUsageSummary.value
}
catch {
$_
}
}
# Globals
# Tenant ID
$global:myTenantId = '<Your AAD Tenant ID>'
# Registered AAD App ID
$global:myClientID = '<Your AAD Registered App Client ID>'
# One Time only to authorize access and get an Access and Refresh Token into the local MSAL Cache
# Comment out after the one time use (per user profile on the local host running the script)
$global:myToken = Get-MsalToken -DeviceCode -ClientId $myClientID -TenantId $myTenantId -RedirectUri "https://localhost" -Authority "https://login.microsoftonline.com/$($global:myTenantId)"
$AuthRegisteredByMethod = GetAADUsersAuthRegisteredByMethod
$AuthRegisteredByMethod.userRegistrationMethodCounts
$AuthRegisteredByFeature = GetAADUsersAuthRegisteredByFeature
$AuthRegisteredByFeature
$AuthRegisteredByFeature.userRegistrationFeatureCounts
$CredentialUserRegistrationCount = GetAADUsersCredentialUserRegistrationCount
$CredentialUserRegistrationCount
$CredentialUserRegistrationCount.userRegistrationCounts
$CredentialUsageSummary = GetAADUsersCredentialUsageSummary -period '30'
$CredentialUsageSummary
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment