Submit and upvote ideas to make Liongard better. You get 20 votes so vote wisely. 🙂
The Product Team is constantly reading your ideas and while we can’t promise that all ideas will become a reality, we value your feedback and promise to always have our Partners in mind when building and improving Liongard.
Check out our FAQs to learn more.
See what we've shipped by clicking here!
Last Reviewed Date | 2020-01-21 |
Quick update: We know this is high value to you information. Microsoft has begun making this information on a per-user basis only in cases where a higher-end Azure AD license is available. We are working on how to best surface that data for users where it is available and clearly indicate to the user in cases where it isn't available from Microsoft at all.
I 100% agree with this. Since we also started to use Liongard recently I had noticed this and brought it up with our Liongard Rep as well. Currently using a script per tenant to pull the data until this gets updated.
This is a fundamental metric that needs to be reported on with or without the Azure P1 license. Please escalate this idea to help us all secure our clients.
This is absolutely possible through the 365 secure app model api.
I pieced this together using the following links so credit to them.
https://www.cyberdrain.com/connect-to-exchange-online-automated-when-mfa-is-enabled-using-the-secureapp-model/
https://github.com/ruudmens/LazyAdmin/blob/master/Office365/MFAStatus.ps1
$ApplicationId = 'xxxx-xxxx-xxxx-xxxx-xxx'
$ApplicationSecret = 'YOURSECRET' | Convertto-SecureString -AsPlainText -Force
$TenantID = 'xxxxxx-xxxx-xxx-xxxx--xxx'
$RefreshToken = 'LongResourcetoken'
$ExchangeRefreshToken = 'LongExchangeToken'
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$msolusers = Get-MsolUser -TenantId 'TENENT ID of customer' -EnabledFilter EnabledOnly | Where-Object {$_.IsLicensed -eq $true} | Sort-Object UserPrincipalName
foreach ($MsolUser in $MsolUsers) {
[PSCustomObject]@{
DisplayName = $MsolUser.DisplayName
UserPrincipalName = $MsolUser.UserPrincipalName
isAdmin = if ($listAdmins -and $admins.EmailAddress -match $MsolUser.UserPrincipalName) {$true} else {"-"}
MFAEnabled = if ($MsolUser.StrongAuthenticationMethods) {$true} else {$false}
MFAType = $MsolUser.StrongAuthenticationMethods | Where-Object {$_.IsDefault -eq $true} | Select-Object -ExpandProperty MethodType
MFAEnforced = if ($MsolUser.StrongAuthenticationRequirements) {$true} else {"-"}
}
}
I am sure this data can be pulled via Powershell, regardless of AAD Plan. Agree totally on Alex Membrey comments - this detail is important
I'm able to pull this information from MSOL using the $user.strongauthenticationrequirements properties including "state", "methodtype" (isdefault subproperty) "phonenumber", "alternativephonenumber", "email"
Hi Dave,
That's correct. We're only able to capture this information based on the access Microsoft provides and currently we're only able to capture the MFA status of users for accounts with an Azure AD Premium P1 license or higher.
Was this considered shipped even though it requires the Azure AD Premium license? I'm seeing unknown for all my tenants.
It's worth also noting that Microsoft have MFA implemented in two different ways. Enforcement on a per user basis and also via conditional access.
So also having an MFA registered/enrolled state and by which authentication type would be useful.
Sent from my iPhone
Kind Regards,
Josh Kelly
Service Manager
P: 1300 688 020
M: 0447 805 457
E: josh.kelly@hdit.com.au
Technical Support: support@hdit.com.au
Quotes & Sales: sales@hdit.com.au
The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without the written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. Please consider the environment before printing this email.���
This is becoming a key security requirement and would be nice to report and alert on it.Â
This could help with the alerts also. We like the alerts that alert on MFA not being enabled for certain users but it does not show which users. Â