Add MFA reset back in

KelvinTegelaar · Nov 4, 2024 · c744850 · c744850
1 parent ed0d2ec
commit c744850
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 33 deletions.
diff --git a/...blic/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecBECRemediate.ps1 b/...blic/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecBECRemediate.ps1
@@ -27,8 +27,9 @@ Function Invoke-ExecBECRemediate {
         $Step = 'Disable Account'
         Set-CIPPSignInState -userid $username -AccountEnabled $false -tenantFilter $TenantFilter -APIName $APINAME -ExecutingUser $User
         $Step = 'Revoke Sessions'
-        Revoke-CIPPSessions -userid $SuspectUser -username $request.body.username -ExecutingUser $User -APIName $APINAME -tenantFilter $TenantFilter
-
+        Revoke-CIPPSessions -userid $SuspectUser -username $username -ExecutingUser $User -APIName $APINAME -tenantFilter $TenantFilter
+        $Step = 'Remove MFA methods'
+        Remove-CIPPUserMFA -UserPrincipalName $username -TenantFilter $TenantFilter -ExecutingUser $User
         $Step = 'Disable Inbox Rules'
         $Rules = New-ExoRequest -anchor $username -tenantid $TenantFilter -cmdlet 'Get-InboxRule' -cmdParams @{Mailbox = $username; IncludeHidden = $true }
         $RuleDisabled = 0

diff --git a/...e/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecResetMFA.ps1 b/...e/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecResetMFA.ps1
@@ -17,37 +17,7 @@ Function Invoke-ExecResetMFA {
     $TenantFilter = $Request.Query.TenantFilter
     $UserID = $Request.Query.ID
     try {
-        Write-Host "Getting auth methods for $UserID"
-        $AuthMethods = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$UserID/authentication/methods" -tenantid $TenantFilter -AsApp $true
-        $Requests = [System.Collections.Generic.List[object]]::new()
-        foreach ($Method in $AuthMethods) {
-            if ($Method.'@odata.type' -and $Method.'@odata.type' -ne '#microsoft.graph.passwordAuthenticationMethod') {
-                $MethodType = ($Method.'@odata.type' -split '\.')[-1] -replace 'Authentication', ''
-                $Requests.Add(@{
-                        id     = "$MethodType-$($Method.id)"
-                        method = 'DELETE'
-                        url    = ('users/{0}/authentication/{1}s/{2}' -f $UserID, $MethodType, $Method.id)
-                    })
-            }
-        }
-        if (($Requests | Measure-Object).Count -eq 0) {
-            $Results = [pscustomobject]@{'Results' = "No MFA methods found for user $($Request.Query.ID)" }
-            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                    StatusCode = [HttpStatusCode]::OK
-                    Body       = $Results
-                })
-            return
-        }
-
-        $Results = New-GraphBulkRequest -Requests $Requests -tenantid $TenantFilter -asapp $true -erroraction stop
-
-
-        if ($Results.status -eq 204) {
-            $Results = [pscustomobject]@{'Results' = "Successfully completed request. User $($Request.Query.ID) must supply MFA at next logon" }
-        } else {
-            $FailedAuthMethods = (($Results | Where-Object { $_.status -ne 204 }).id -split '-')[0] -join ', '
-            $Results = [pscustomobject]@{'Results' = "Failed to reset MFA methods for $FailedAuthMethods" }
-        }
+        $Results = Remove-CIPPUserMFA -UserPrincipalName $UserID -TenantFilter $TenantFilter -ExecutingUser $request.headers.'x-ms-client-principal'
     } catch {
         $Results = [pscustomobject]@{'Results' = "Failed to reset MFA methods for $($Request.Query.ID): $(Get-NormalizedError -message $_.Exception.Message)" }
         Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to reset MFA for user $($Request.Query.ID): $($_.Exception.Message)" -Sev 'Error' -LogData (Get-CippException -Exception $_)

diff --git a/Modules/CIPPCore/Public/Remove-CIPPUserMFA.ps1 b/Modules/CIPPCore/Public/Remove-CIPPUserMFA.ps1
@@ -0,0 +1,65 @@
+function Remove-CIPPUserMFA {
+    <#
+    .SYNOPSIS
+    Remove MFA methods for a user
+
+    .DESCRIPTION
+    Remove MFA methods for a user using bulk requests to the Microsoft Graph API
+
+    .PARAMETER UserPrincipalName
+    UserPrincipalName of the user to remove MFA methods for
+
+    .PARAMETER TenantFilter
+    Tenant where the user resides
+
+    .EXAMPLE
+    Remove-CIPPUserMFA -UserPrincipalName [email protected] -TenantFilter contoso.com
+
+    #>
+    [CmdletBinding(SupportsShouldProcess = $true)]
+    Param(
+        [Parameter(Mandatory = $true)]
+        [string]$UserPrincipalName,
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        [Parameter(Mandatory = $false)]
+        [string]$ExecutingUser = 'CIPP'
+    )
+
+    Write-Information "Getting auth methods for $UserPrincipalName"
+    $AuthMethods = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$UserPrincipalName/authentication/methods" -tenantid $TenantFilter -AsApp $true
+    $Requests = [System.Collections.Generic.List[object]]::new()
+    foreach ($Method in $AuthMethods) {
+        if ($Method.'@odata.type' -and $Method.'@odata.type' -ne '#microsoft.graph.passwordAuthenticationMethod') {
+            $MethodType = ($Method.'@odata.type' -split '\.')[-1] -replace 'Authentication', ''
+            $Requests.Add(@{
+                    id     = "$MethodType-$($Method.id)"
+                    method = 'DELETE'
+                    url    = ('users/{0}/authentication/{1}s/{2}' -f $UserPrincipalName, $MethodType, $Method.id)
+                })
+        }
+    }
+    if (($Requests | Measure-Object).Count -eq 0) {
+        Write-LogMessage -API 'Remove-CIPPUserMFA' -tenant $TenantFilter -message "No MFA methods found for user $UserPrincipalName" -sev 'Info'
+        $Results = [pscustomobject]@{'Results' = "No MFA methods found for user $($Request.Query.ID)" }
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::OK
+                Body       = $Results
+            })
+        return
+    }
+
+    if ($PSCmdlet.ShouldProcess("Remove MFA methods for $UserPrincipalName")) {
+        $Results = New-GraphBulkRequest -Requests $Requests -tenantid $TenantFilter -asapp $true -erroraction stop
+        if ($Results.status -eq 204) {
+            Write-LogMessage -API 'Remove-CIPPUserMFA' -tenant $TenantFilter -message "Successfully removed MFA methods for user $UserPrincipalName" -sev 'Info'
+            $Results = [pscustomobject]@{'Results' = "Successfully completed request. User $($Request.Query.ID) must supply MFA at next logon" }
+        } else {
+            $FailedAuthMethods = (($Results | Where-Object { $_.status -ne 204 }).id -split '-')[0] -join ', '
+            Write-LogMessage -API 'Remove-CIPPUserMFA' -tenant $TenantFilter -message "Failed to remove MFA methods for $FailedAuthMethods" -sev 'Error'
+            $Results = [pscustomobject]@{'Results' = "Failed to reset MFA methods for $FailedAuthMethods" }
+        }
+    }
+
+    return $Results
+}