Skip to content
Skip to content
Gooseleggs Site

Ramblings

← Cakephp JQuery Bootstrap and Modal forms
Using AVR High Voltage Parallel Programmer →
-->

Azure AD Roles and authentication methods

Posted on July 1, 2022 by admin

So, I was trying to improve the MS Security score, and the awesome feature of the admin users without MFA secure score item, is that it cannot tell you who exactly does not have it.  It only gives you a number.  So, I set about to create a script, using MS Graph to enable this to occur.  This script provides

  • List of all roles that have users allocated to them, and the users that are assigned the role
  • List of authentication methods for all users who have Azure AD Roles
# Import the module
# If you need to install the module, use "Install-Module Microsoft.Graph".  Be prepared to wait 5-20 minutes for it to install though!

if (Get-InstalledModule -Name Microsoft.Graph -ErrorAction SilentlyContinue) {
    Import-Module Microsoft.Graph.Identity.DirectoryManagement
    Import-Module Microsoft.Graph.Identity.SignIns
} else {
    write-host -foregroundColor Yellow "Sorry - need to install PS module.  Use Install-Module Microsoft.Graph (prepare to wait 5-20 minutes for this to finish!)"
    exit
}

# Connect with the rights needed
Write-host "Connecting to Tenant..."
Connect-MgGraph -Scopes "User.Read.All", "RoleManagement.Read.Directory", "UserAuthenticationMethod.Read.All"

# Get list of directory roles
Write-host "Getting list of roles..."
$roles = Get-MgDirectoryRole
$users = @{}

# Iterate through the roles showing who has what roles
foreach ($role in $roles) {
    $members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.id
    if ($members) {
        write-host $role.DisplayName 
        foreach ($member in $members) {
            $user = Get-MgUser -UserId $member.Id
            $users[$member.Id] = $user.UserPrincipalName
            write-host "  $($user.UserPrincipalName)"
        }
        write-host 
    }
}

# Now we have a list of users, lets find out what authentication methods they are using
Write-host -foregroundColor Yellow "User authentication methods"
write-host "Gathering information: " -NoNewline
$userAuthMethods = @()
foreach ($userKey in $users.Keys) {
            $authenticatorMethods = Get-MgUserAuthenticationMethod -UserId $userKey
            $methods = ""
            foreach ($method in $authenticatorMethods) {
                $properties = $method.AdditionalProperties 
                foreach ($key in $properties.keys) {
                    if ($key -eq '@odata.type') {
                        $type = $properties[$key] -replace "#microsoft.graph.", ""
                        $type = $type -replace "Method", ""
                        $methods += " $type,"
                        
                    }
                }
            }
            Write-Host '.' -NoNewline
            $methods = $methods.Trim(',',' ')
            $obj = New-Object -TypeName psobject
            $obj | Add-Member -MemberType NoteProperty -Name Name -Value $users[$userkey]
            $obj | Add-Member -MemberType NoteProperty -Name AuthenticationMethods -Value $methods
            $userAuthMethods += $obj
#            write-host "  $($users[$userkey]) - [$methods]"
}
write-host
$userAuthMethods | Sort-Object -Property Name
Disconnect-Graph
This entry was posted in Powershell. Bookmark the <a href="https://www.thesmithcave.nz/?p=353" title="Permalink to Azure AD Roles and authentication methods" rel="bookmark">permalink</a>.
← Cakephp JQuery Bootstrap and Modal forms
Using AVR High Voltage Parallel Programmer →

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

© 2025 | Blog info WordPress Theme | By Bharat Kambariya