Created
May 4, 2023 16:49
-
-
Save jschlackman/59b78367d2dabf158be3abb8e1330336 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Name: Get-AADAccessDetails.ps1 | |
| # Author: James Schlackman | |
| # Last Modified: May 3 2023 | |
| # | |
| # Audits all enabled users in Azure AD and outputs the date they last logged in, when they last changed | |
| # their password, when the account was created, and which Azure AD roles they are assigned (if any). | |
| # | |
| # NOTE: Azure AD only began storing account creation dates in June 2018. CreatedDateTime will be blank | |
| # for accounts created before that time. | |
| # | |
| # Source: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users/update-mguser | |
| #Requires -Modules Microsoft.Graph.Authentication, Microsoft.Graph.Identity.DirectoryManagement, Microsoft.Graph.Users | |
| # Function to convert UTC datetimes returned by Graph to local time | |
| $LocalTimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById("Eastern Standard Time") | |
| function LocalTime() { | |
| param( | |
| [datetime] $utcDateTime | |
| ) | |
| [System.TimeZoneInfo]::ConvertTimeFromUtc($utcDateTime, $LocalTimeZone) | |
| } | |
| # Connect with required scopes | |
| Connect-Graph -Scopes User.Read.All,AuditLog.Read.All,RoleManagement.Read.All | |
| # Get all active AD roles and the users assigned to them | |
| Write-Host "`nRetrieving role assignments..." | |
| $RoleAudit = Get-MgDirectoryRole | Select DisplayName,ID,@{Name='Members';Expression={$members=Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id;If ([bool]$members) {$members | Select -ExpandProperty Id} Else {$null}}} | |
| If ([bool]$RoleAudit) { | |
| Write-Host "Complete." -ForegroundColor Green | |
| } | |
| # Define user properties to load | |
| $LoadProperties = 'DisplayName','UserPrincipalName','Mail','JobTitle','Department','CreatedDateTime','LastPasswordChangeDateTime','SignInActivity','AccountEnabled','AssignedLicenses','OnPremisesDistinguishedName' | |
| # Get all member users and filter for enabled users only | |
| Write-Host "`nRetrieving user details..." | |
| $EnabledMembers = Get-MgUser -Filter "UserType eq 'Member'" -All -Property $LoadProperties | Where-Object -Property AccountEnabled -eq $true | |
| If ([bool]$EnabledMembers) { | |
| Write-Host "Complete." -ForegroundColor Green | |
| $EnabledMembers = $EnabledMembers | Sort-Object -Property DisplayName | |
| } | |
| # Define output properties | |
| $OutputProperties = ` | |
| 'DisplayName', | |
| 'UserPrincipalName', | |
| 'Mail', | |
| # Assume shared mailbox if email attribute is set but no license | |
| @{Name='SharedMailbox'; Expression={[bool]$_.Mail -and !([bool]$_.AssignedLicenses)}}, | |
| 'JobTitle', | |
| 'Department', | |
| @{Name='Created';Expression={LocalTime($_.CreatedDateTime)}}, | |
| @{Name='LastPasswordChange';Expression={LocalTime($_.LastPasswordChangeDateTime)}}, | |
| @{Name='LastSignIn'; Expression={ | |
| $SignIn = $_.SignInActivity.LastSignInDateTime | |
| # Fallback to last non-interactive sign-in if no standard sign-in date is available | |
| If ([bool]$SignIn){ | |
| LocalTime($SignIn) | |
| } Else { | |
| LocalTime($_.SignInActivity.LastNonInteractiveSignInDateTime) | |
| } | |
| } | |
| }, | |
| @{Name='AssignedRoles';Expression={(($RoleAudit | Where-Object -Property Members -Contains $_.Id).DisplayName) -join ', '}}, | |
| 'OnPremisesDistinguishedName' | |
| # Format output | |
| $AuditOutput = $EnabledMembers | Select -Property $OutputProperties | |
| # Display/export output | |
| $AuditOutput | Out-GridView | |
| $AuditOutput | Export-Csv -NoTypeInformation -Path ("$((Get-Date).ToString("yyMMdd")) Azure AD Access Details.csv") -Encoding UTF8 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment