我所在的公司接受审核。我只需要代码来查看Powershell中的Company Administrators组即可检查并验证它们是否通过MFA身份验证强制执行,或者是否使其状态强制执行。在网上进行搜索时想出了一些零碎的代码。 Powershell编码非常新,如果能为我提供帮助,我非常感谢它作为It Security的一部分,而Powershell编码不是其中的一部分
Connect-MsolService
#I think this will get company admins
$role = Get-MsolRole -rolename "Company Administrator"
$rm = Get-MsolRoleMember -roleObjectId $role.ObjectId
#not sure what this code is for
foreach ($c in $rm)
{
Get-MsolUser -UserPrincipalName $c.EmailAddress | Select displayname
}
输出将是包含名称的Displayname UserPrincipalName将是公司管理员的电子邮件地址 并且将强制执行MFA状态输出
这是其他代码
$role = Get-MsolRole -rolename "Company Administrator"
Get-MsolRoleMember -RoleOBjectId $role.ObjectId
输出将在广告中显示Rolemember类型的电子邮件地址Displayname 并且如果用户被许可=真或假
感谢是否有人会回复
答案 0 :(得分:0)
我自己无法测试,因此请首先在一组测试用户上进行尝试:
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Import-Module ActiveDirectory
Connect-MsolService –Credential $cred
# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
# get the members of the group (users only)
Get-ADGroupMember -Identity 'Company Administrators' | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object {
# get the UserPrincipalName for this user
$upn = Get-ADUser $_.SamAccountName | Select-Object -ExpandProperty UserPrincipalName
$mfa = Get-MsolUser -UserPrincipalName $upn | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $upn"
Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements @($requirement)
}
else {
Write-Host "MFA is already enforced for user $upn"
}
}
使用Get-MsolRole和Get-MsolRoleMember的替代代码
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
foreach ($role in $roles) {
# get the list of members for this role and loop through
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $($_.DisplayName)"
Set-MsolUser -ObjectId $_.ObjectId -StrongAuthenticationRequirements @($requirement)
}
else {
Write-Host "MFA is already enforced for user $($_.DisplayName)"
}
}
}
如果您真正需要的只是报告“ Company Administrators”组及其MFA ststus中的人员,那么代码可以简单得多:
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
$result = foreach ($role in $roles) {
# get the list of members for this role and loop through
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0) { $status = 'Disabled' } else { $status = $mfa[0].State }
# output an object to be collected in variable $result
[PsCustomObject]@{
'UserName' = $_.DisplayName
'EmailAddress' = $_.EmailAddress
'MFA_Status' = $status
}
}
}
# display on screen
$result | Format-Table -AutoSize
#output to a CSV file
$result | Export-Csv -Path 'X:\CompanyAdministrators.csv' -NoTypeInformation -Force