powershell - MFA 对公司管理员的强制执行 Powershell
问题描述
我工作的公司有审计。我只需要代码来查看 Powershell 中的公司管理员组检查并验证他们是否通过 MFA 身份验证强制执行,或者是否强制执行其状态。网上搜了一下,想出了点点滴滴的代码。如果你们可以帮助我作为 IT 安全人员工作的代码,那么 Powershell 编码非常新,非常感谢,Powershell 编码不是其中的一部分
Connect-MsolService
#I think this will get company admins
$role = Get-MsolRole -rolename "Company Administrator"
$rm = Get-MsolRoleMember -roleObjectId $role.ObjectId
#not sure what this code is for
foreach ($c in $rm)
{
Get-MsolUser -UserPrincipalName $c.EmailAddress | Select displayname
}
输出将是显示名称,其中包含名称 UserPrincipalName 将是公司管理员的电子邮件地址,MFA 状态输出将被强制执行
这是另一个代码
$role = Get-MsolRole -rolename "Company Administrator"
Get-MsolRoleMember -RoleOBjectId $role.ObjectId
输出将在广告中显示角色成员类型电子邮件地址显示名称以及用户是否已获得许可 = true 或 false
谢谢,如果有人会回复这个
解决方案
我自己无法对此进行测试,因此请先在一组测试用户身上进行测试:
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Import-Module ActiveDirectory
Connect-MsolService –Credential $cred
# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
# get the members of the group (users only)
Get-ADGroupMember -Identity 'Company Administrators' | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object {
# get the UserPrincipalName for this user
$upn = Get-ADUser $_.SamAccountName | Select-Object -ExpandProperty UserPrincipalName
$mfa = Get-MsolUser -UserPrincipalName $upn | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $upn"
Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements @($requirement)
}
else {
Write-Host "MFA is already enforced for user $upn"
}
}
Get-MsolRole
使用和的替代代码Get-MsolRoleMember
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
foreach ($role in $roles) {
# get the list of members for this role and loop through
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $($_.DisplayName)"
Set-MsolUser -ObjectId $_.ObjectId -StrongAuthenticationRequirements @($requirement)
}
else {
Write-Host "MFA is already enforced for user $($_.DisplayName)"
}
}
}
更新
如果您真正需要的只是报告“公司管理员”组中的人员及其 MFA ststus,则代码可以简单得多:
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
$result = foreach ($role in $roles) {
# get the list of members for this role and loop through
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0) { $status = 'Disabled' } else { $status = $mfa[0].State }
# output an object to be collected in variable $result
[PsCustomObject]@{
'UserName' = $_.DisplayName
'EmailAddress' = $_.EmailAddress
'MFA_Status' = $status
}
}
}
# display on screen
$result | Format-Table -AutoSize
#output to a CSV file
$result | Export-Csv -Path 'X:\CompanyAdministrators.csv' -NoTypeInformation -Force
推荐阅读
- r - 根据 r 中的条件分组、删除重复项和交换值
- mysql - Mysql Foreach 从一张表到另一张表
- mongodb - 如何在 Python Eve 中使用 $in 聚合并通过 URL 分配变量?
- selenium - 如何使用 testNG 执行多个测试用例
- c# - 试图禁用 ListBox c# 中的几个项目
- go - 如何修复 go get: disabled by -mod=vendor
- android - 无法为 google maps api 申请更高的配额
- algorithm - 增强的第二次机会算法如何对已修改的更改有偏好?
- wordpress - 使用 WordPress 的 nginx 反向代理:acb.site.com/wp-admin 转到 abc.site.com:port/wp-admin
- visual-studio-mac - 如何在 Visual Studio for Mac 中获得上下文相关帮助?