Merge pull request #264 from DChorn-ANS/dev

Check all admin roles for MFA
KelvinTegelaar · Feb 3, 2023 · 447bb8a · 447bb8a
2 parents 8a7ad2c + 0f46350
commit 447bb8a
Showing 1 changed file with 8 additions and 9 deletions.
diff --git a/Scheduler_Alert/run.ps1 b/Scheduler_Alert/run.ps1
@@ -50,25 +50,24 @@ try {
         }
         { $_.'MFAAdmins' -eq $true } {
             try {
-                $AdminIds = (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'&expand=principal" -tenantid $($tenant.tenant)).principal
-                $AdminList = Get-CIPPMSolUsers -tenant $tenant.tenant | Where-Object -Property ObjectID -In $AdminIds.id
                 $StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
-                $AdminList | Where-Object { $_.Usertype -eq 'Member' -and $_.BlockCredential -eq $false } | ForEach-Object {
-                    try {               
-                (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users/$($_.ObjectID)/authentication/Methods" -tenantid $($tenant.tenant)) | ForEach-Object {
-                            if ($_.'@odata.type' -in $StrongMFAMethods -and !$CARegistered) { 
+                $AdminList = (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/directoryRoles?`$expand=members" -tenantid $($tenant.tenant) | Where-Object -Property roleTemplateId -ne 'd29b2b05-8046-44ba-8758-1e26182fcf32').members | where-object { $_.userPrincipalName -ne $null -and $_.Usertype -eq 'Member' -and $_.accountEnabled -eq $true } | sort-object UserPrincipalName -Unique
+                $AdminList | ForEach-Object {
+                    $CARegistered = $null
+                    try {
+            (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users/$($_.ID)/authentication/Methods" -tenantid $($tenant.tenant)) | ForEach-Object {
+                            if ($_.'@odata.type' -in $StrongMFAMethods) { 
                                 $CARegistered = $true; 
-                            } }
+                            } 
+                        }
                         if ($_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state -eq $null -and $CARegistered -ne $true) { "Admin $($_.UserPrincipalName) is enabled but does not have any form of MFA configured." }
                     }
                     catch {
-                        $CARegistered = $false
                     }
                 }
             }
             catch {
                 "Could not get MFA status for admins for $($Tenant.tenant): $($_.Exception.message)"
-
             }
         }
         { $_.'MFAAlertUsers' -eq $true } {