时间戳

首页 > 解决方案 > MFA 对公司管理员的强制执行 Powershell

powershell - MFA 对公司管理员的强制执行 Powershell

问题描述

我工作的公司有审计。我只需要代码来查看 Powershell 中的公司管理员组检查并验证他们是否通过 MFA 身份验证强制执行,或者是否强制执行其状态。网上搜了一下,想出了点点滴滴的代码。如果你们可以帮助我作为 IT 安全人员工作的代码,那么 Powershell 编码非常新,非常感谢,Powershell 编码不是其中的一部分

Connect-MsolService
#I think this will get company admins
$role = Get-MsolRole -rolename "Company Administrator"

$rm = Get-MsolRoleMember -roleObjectId $role.ObjectId

#not sure what this code is for

foreach ($c in $rm)
{

Get-MsolUser -UserPrincipalName $c.EmailAddress | Select displayname

}

输出将是显示名称,其中包含名称 UserPrincipalName 将是公司管理员的电子邮件地址,MFA 状态输出将被强制执行

这是另一个代码

$role = Get-MsolRole -rolename "Company Administrator"
Get-MsolRoleMember -RoleOBjectId $role.ObjectId

输出将在广告中显示角色成员类型电子邮件地址显示名称以及用户是否已获得许可 = true 或 false

谢谢,如果有人会回复这个

标签: powershellpowershell-3.0powershell-4.0multi-factor-authentication

解决方案

我自己无法对此进行测试,因此请先在一组测试用户身上进行测试:

# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Import-Module ActiveDirectory
Connect-MsolService –Credential $cred

# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State        = "Enforced"

# get the members of the group (users only)
Get-ADGroupMember -Identity 'Company Administrators' | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object { 
    # get the UserPrincipalName for this user
    $upn = Get-ADUser $_.SamAccountName | Select-Object -ExpandProperty UserPrincipalName
    $mfa = Get-MsolUser -UserPrincipalName $upn | Select-Object -ExpandProperty StrongAuthenticationRequirements
    if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
        Write-Host "Enforcing MFA for user $upn"
        Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements @($requirement)
    }
    else {
        Write-Host "MFA is already enforced for user $upn"
    }
}

Get-MsolRole使用和的替代代码Get-MsolRoleMember

# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred

# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State        = "Enforced"

# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
foreach ($role in $roles) {
    # get the list of members for this role and loop through
    Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
        $mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
        if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
            Write-Host "Enforcing MFA for user $($_.DisplayName)"
            Set-MsolUser -ObjectId $_.ObjectId -StrongAuthenticationRequirements @($requirement)
        }
        else {
            Write-Host "MFA is already enforced for user $($_.DisplayName)"
        }
    }
}

更新

如果您真正需要的只是报告“公司管理员”组中的人员及其 MFA ststus,则代码可以简单得多:

# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred

# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
$result = foreach ($role in $roles) {
    # get the list of members for this role and loop through
    Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
        $mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
        if ($mfa.Count -eq 0) { $status = 'Disabled' } else { $status = $mfa[0].State }
        # output an object to be collected in variable $result
        [PsCustomObject]@{
            'UserName'     = $_.DisplayName
            'EmailAddress' = $_.EmailAddress
            'MFA_Status'   = $status
        }
    }
}

# display on screen
$result | Format-Table -AutoSize

#output to a CSV file
$result | Export-Csv -Path 'X:\CompanyAdministrators.csv' -NoTypeInformation -Force

推荐阅读