Liongard Ideas Portal

This is a fundamental metric that needs to be reported on with or without the Azure P1 license. Please escalate this idea to help us all secure our clients.

This is absolutely possible through the 365 secure app model api.

I pieced this together using the following links so credit to them.

https://www.cyberdrain.com/connect-to-exchange-online-automated-when-mfa-is-enabled-using-the-secureapp-model/

https://github.com/ruudmens/LazyAdmin/blob/master/Office365/MFAStatus.ps1

$ApplicationId = 'xxxx-xxxx-xxxx-xxxx-xxx'

$ApplicationSecret = 'YOURSECRET' | Convertto-SecureString -AsPlainText -Force

$TenantID = 'xxxxxx-xxxx-xxx-xxxx--xxx'

$RefreshToken = 'LongResourcetoken'

$ExchangeRefreshToken = 'LongExchangeToken'

$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)

$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID

$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID

Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken

$msolusers = Get-MsolUser -TenantId 'TENENT ID of customer' -EnabledFilter EnabledOnly | Where-Object {$_.IsLicensed -eq $true} | Sort-Object UserPrincipalName

foreach ($MsolUser in $MsolUsers) {

[PSCustomObject]@{

DisplayName = $MsolUser.DisplayName

UserPrincipalName = $MsolUser.UserPrincipalName

isAdmin = if ($listAdmins -and $admins.EmailAddress -match $MsolUser.UserPrincipalName) {$true} else {"-"}

MFAEnabled = if ($MsolUser.StrongAuthenticationMethods) {$true} else {$false}

MFAType = $MsolUser.StrongAuthenticationMethods | Where-Object {$_.IsDefault -eq $true} | Select-Object -ExpandProperty MethodType

MFAEnforced = if ($MsolUser.StrongAuthenticationRequirements) {$true} else {"-"}

}

}

I am sure this data can be pulled via Powershell, regardless of AAD Plan. Agree totally on Alex Membrey comments - this detail is important

I'm able to pull this information from MSOL using the $user.strongauthenticationrequirements properties including "state", "methodtype" (isdefault subproperty) "phonenumber", "alternativephonenumber", "email"

Hi Dave,
That's correct. We're only able to capture this information based on the access Microsoft provides and currently we're only able to capture the MFA status of users for accounts with an Azure AD Premium P1 license or higher.

Was this considered shipped even though it requires the Azure AD Premium license? I'm seeing unknown for all my tenants.

It's worth also noting that Microsoft have MFA implemented in two different ways. Enforcement on a per user basis and also via conditional access.

So also having an MFA registered/enrolled state and by which authentication type would be useful.

Sent from my iPhone

Kind Regards,
Josh Kelly
Service Manager

P: 1300 688 020
M: 0447 805 457
E: josh.kelly@hdit.com.au

Technical Support: support@hdit.com.au
Quotes & Sales: sales@hdit.com.au
The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without the written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. Please consider the environment before printing this email.���

This is becoming a key security requirement and would be nice to report and alert on it. 

This could help with the alerts also. We like the alerts that alert on MFA not being enabled for certain users but it does not show which users.