MFA对公司管理员Powershell的强制执行
我工作的公司有一个审计部门。我只需要这些代码就可以看到Powershell中的集团公司管理员检查并验证他们是否强制使用MFA身份验证,或者更确切地说是强制执行他们的状态。在网上搜索得到了一些零碎的代码。非常新的Powershell编码,非常感谢你们的帮助,我作为It安全人员工作,Powershell编码不是它的一部分MFA对公司管理员Powershell的强制执行,powershell,powershell-3.0,powershell-4.0,multi-factor-authentication,Powershell,Powershell 3.0,Powershell 4.0,Multi Factor Authentication,我工作的公司有一个审计部门。我只需要这些代码就可以看到Powershell中的集团公司管理员检查并验证他们是否强制使用MFA身份验证,或者更确切地说是强制执行他们的状态。在网上搜索得到了一些零碎的代码。非常新的Powershell编码,非常感谢你们的帮助,我作为It安全人员工作,Powershell编码不是它的一部分 Connect-MsolService #I think this will get company admins $role = Get-MsolRole -rolename "
Connect-MsolService
#I think this will get company admins
$role = Get-MsolRole -rolename "Company Administrator"
$rm = Get-MsolRoleMember -roleObjectId $role.ObjectId
#not sure what this code is for
foreach ($c in $rm)
{
Get-MsolUser -UserPrincipalName $c.EmailAddress | Select displayname
}
输出将是包含名称的Displayname
UserPrincipalName将是公司管理员的电子邮件地址
和MFA状态输出将被强制执行
这是另一个代码
$role = Get-MsolRole -rolename "Company Administrator"
Get-MsolRoleMember -RoleOBjectId $role.ObjectId
输出将在Ad中显示Rolemember类型电子邮件地址Displayname
如果用户获得许可=true或false
谢谢,如果有人回复此问题我自己无法测试此问题,请先在一组测试用户上试用:
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Import-Module ActiveDirectory
Connect-MsolService –Credential $cred
# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
# get the members of the group (users only)
Get-ADGroupMember -Identity 'Company Administrators' | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object {
# get the UserPrincipalName for this user
$upn = Get-ADUser $_.SamAccountName | Select-Object -ExpandProperty UserPrincipalName
$mfa = Get-MsolUser -UserPrincipalName $upn | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $upn"
Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements @($requirement)
}
else {
Write-Host "MFA is already enforced for user $upn"
}
}
使用Get MsolRole
和Get MsolRoleMember
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
foreach ($role in $roles) {
# get the list of members for this role and loop through
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $($_.DisplayName)"
Set-MsolUser -ObjectId $_.ObjectId -StrongAuthenticationRequirements @($requirement)
}
else {
Write-Host "MFA is already enforced for user $($_.DisplayName)"
}
}
}
更新 如果您真正需要的只是“公司管理员”组中的人员及其MFA STSTU的报告,那么代码可以简单得多:
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
$result = foreach ($role in $roles) {
# get the list of members for this role and loop through
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0) { $status = 'Disabled' } else { $status = $mfa[0].State }
# output an object to be collected in variable $result
[PsCustomObject]@{
'UserName' = $_.DisplayName
'EmailAddress' = $_.EmailAddress
'MFA_Status' = $status
}
}
}
# display on screen
$result | Format-Table -AutoSize
#output to a CSV file
$result | Export-Csv -Path 'X:\CompanyAdministrators.csv' -NoTypeInformation -Force
稍后将尝试此操作,并添加了以前使用的系统管理员之一的示例代码片段。他们需要的输出是相同的,但我猜代码只是被截断了,或者只显示了一部分。@ChristianGallego请不要添加代码片段作为指向代码图像的链接。取而代之的是你的问题,并将其作为代码格式的文本输入。当然,首先要清理敏感信息。@ChristianGallego我只使用MSOnline cmdlet添加了替代代码。再次说明:由于我无法亲自测试,因此在测试过程中,我无法在测试用户身上进行测试或注释掉行
Set MsolUser..
。我的错误@Theo公司管理员只需显示MFA状态,无需强制执行。例如,如果用户管理员没有MFA,则只需显示。谢谢你advance@ChristianGallego我已经用代码更新了我的答案,仅检索MFA状态。电子邮件地址并不总是与UserPrincipalName相同。它们共享相同的格式,但您可以使用EmailAddressjohn的用户。doe@somecompany.com
具有UserPrincipalNamejdoe@somecompany.com
。代码应始终使用Get-ADUser
进行检查,以获取与Get-MsolUser
和Set-MsolUser
一起使用的真实用户名。对于这些cmdlet,还可以使用ObjectId
而不是UserPrincipalName
。另外,Get-MsolRoleMember
返回一个角色成员对象数组,因此foreach{..}
循环。