MFA对公司管理员Powershell的强制执行_Powershell_Powershell 3.0_Powershell 4.0_Multi Factor Authentication

MFA对公司管理员Powershell的强制执行

powershell

MFA对公司管理员Powershell的强制执行,powershell,powershell-3.0,powershell-4.0,multi-factor-authentication,Powershell,Powershell 3.0,Powershell 4.0,Multi Factor Authentication,我工作的公司有一个审计部门。我只需要这些代码就可以看到Powershell中的集团公司管理员检查并验证他们是否强制使用MFA身份验证，或者更确切地说是强制执行他们的状态。在网上搜索得到了一些零碎的代码。非常新的Powershell编码，非常感谢你们的帮助，我作为It安全人员工作，Powershell编码不是它的一部分 Connect-MsolService #I think this will get company admins $role = Get-MsolRole -rolename "

我工作的公司有一个审计部门。我只需要这些代码就可以看到Powershell中的集团公司管理员检查并验证他们是否强制使用MFA身份验证，或者更确切地说是强制执行他们的状态。在网上搜索得到了一些零碎的代码。非常新的Powershell编码，非常感谢你们的帮助，我作为It安全人员工作，Powershell编码不是它的一部分

Connect-MsolService
#I think this will get company admins
$role = Get-MsolRole -rolename "Company Administrator"

$rm = Get-MsolRoleMember -roleObjectId $role.ObjectId

#not sure what this code is for

foreach ($c in $rm)
{

Get-MsolUser -UserPrincipalName $c.EmailAddress | Select displayname

}

输出将是包含名称的Displayname UserPrincipalName将是公司管理员的电子邮件地址和MFA状态输出将被强制执行

这是另一个代码

$role = Get-MsolRole -rolename "Company Administrator"
Get-MsolRoleMember -RoleOBjectId $role.ObjectId

输出将在Ad中显示Rolemember类型电子邮件地址Displayname 如果用户获得许可=true或false

谢谢，如果有人回复此问题

我自己无法测试此问题，请先在一组测试用户上试用：

# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Import-Module ActiveDirectory
Connect-MsolService –Credential $cred

# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State        = "Enforced"

# get the members of the group (users only)
Get-ADGroupMember -Identity 'Company Administrators' | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object { 
    # get the UserPrincipalName for this user
    $upn = Get-ADUser $_.SamAccountName | Select-Object -ExpandProperty UserPrincipalName
    $mfa = Get-MsolUser -UserPrincipalName $upn | Select-Object -ExpandProperty StrongAuthenticationRequirements
    if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
        Write-Host "Enforcing MFA for user $upn"
        Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements @($requirement)
    }
    else {
        Write-Host "MFA is already enforced for user $upn"
    }
}

使用

Get MsolRole

和

Get MsolRoleMember

# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred

# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State        = "Enforced"

# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
foreach ($role in $roles) {
    # get the list of members for this role and loop through
    Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
        $mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
        if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
            Write-Host "Enforcing MFA for user $($_.DisplayName)"
            Set-MsolUser -ObjectId $_.ObjectId -StrongAuthenticationRequirements @($requirement)
        }
        else {
            Write-Host "MFA is already enforced for user $($_.DisplayName)"
        }
    }
}

更新

如果您真正需要的只是“公司管理员”组中的人员及其MFA STSTU的报告，那么代码可以简单得多：

# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred

# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
$result = foreach ($role in $roles) {
    # get the list of members for this role and loop through
    Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
        $mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
        if ($mfa.Count -eq 0) { $status = 'Disabled' } else { $status = $mfa[0].State }
        # output an object to be collected in variable $result
        [PsCustomObject]@{
            'UserName'     = $_.DisplayName
            'EmailAddress' = $_.EmailAddress
            'MFA_Status'   = $status
        }
    }
}

# display on screen
$result | Format-Table -AutoSize

#output to a CSV file
$result | Export-Csv -Path 'X:\CompanyAdministrators.csv' -NoTypeInformation -Force

稍后将尝试此操作，并添加了以前使用的系统管理员之一的示例代码片段。他们需要的输出是相同的，但我猜代码只是被截断了，或者只显示了一部分。@ChristianGallego请不要添加代码片段作为指向代码图像的链接。取而代之的是你的问题，并将其作为代码格式的文本输入。当然，首先要清理敏感信息。@ChristianGallego我只使用MSOnline cmdlet添加了替代代码。再次说明：由于我无法亲自测试，因此在测试过程中，我无法在测试用户身上进行测试或注释掉行

Set MsolUser..

。我的错误@Theo公司管理员只需显示MFA状态，无需强制执行。例如，如果用户管理员没有MFA，则只需显示。谢谢你advance@ChristianGallego我已经用代码更新了我的答案，仅检索MFA状态。电子邮件地址并不总是与UserPrincipalName相同。它们共享相同的格式，但您可以使用EmailAddress

john的用户。doe@somecompany.com

具有UserPrincipalName

jdoe@somecompany.com

。代码应始终使用

Get-ADUser

进行检查，以获取与

Get-MsolUser

和

Set-MsolUser

一起使用的真实用户名。对于这些cmdlet，还可以使用

ObjectId

而不是

UserPrincipalName

。另外，

Get-MsolRoleMember

返回一个角色成员对象数组，因此

foreach{..}

循环。