Connecting to GraphAPI

Question

I'm new to the platform, so please bare with me. I'm working on business rule that checks for accounts in our new users OU to see if MFA is enabled. I have an Adaxes App in Azure with all the proper premissions, runnings the script outside of Axades works as expected but I don't know how to connect to MgGraph via Adaxes powershell

In Powershell I run Connect-MgGraph -ClientID 999999 -TenantId 9999999 -CertificateThumbprint 9999999 then proceed to run my script

When I put the same in Adaxes I get an error msg: Certificate with thumbprint '9999999' was not found in certificate store or has expired. Stack trace: at <ScriptBlock>, <No file>: line 12

I tried$graphToken = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com") Connect-MgGraph -AccessToken $graphToken

but that results in error: Cannot bind parameter 'AccessToken'. Cannot convert the "eyJ0eXAiOiJKV1QiLCJub25jZSI6ImiusaWfQ" value of type "System.String" to type "System.Security.SecureString". Stack trace: at <S criptBlock>, <No file>: line 12

Any help would be wonderful!

Answer 1

Hello,

The approach with the $Context variable used to work fine. Looks like there were some changes in the PowerShell module. The following approach works fine:

$token = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com")
$token = $token | ConvertTo-SecureString -AsPlainText -Force
Connect-MgGraph -AccessToken $token

Comments

So i tried that, now I get the following error msg: Access token has expired or is not yet valid. Stack trace: Access token has expired or is not yet valid. Stack trace: at Get-MgUser<Process>

---

Hello,

Please, provide us with the full script you are using. Also, please, describe the desired behavior in all the possible details with live examples.

---

Thanks for the speedy replies!

Here is what are looking to do. Within a 2 week period after a new user starts we need to enable MFA. This script should use graph to check and see if MFA is enabled and present the method. If the user is not MFA enabled the user gets added to a security group which is queried by a business unit. I also have a custom attribute for MFA status that should be get set to false if MFA is disabled. Outside of Adaxes the script works - it drops the user in the security group and spits out the txt file that looks like this user : username@example.com MFAstatus : Disabled email : - fido2 : - app : - password : True phone : - softwareoath : - tempaccess : - hellobusiness : -

Here is the script:

$token = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com")
$token = $token | ConvertTo-SecureString -AsPlainText -Force
Connect-MgGraph -AccessToken $token

#Adaxes Flag for MFA
$attributeName = "adm-CustomAttributeBoolean12"
$MFAValue = 'False'

# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    $Context.LogMessage("The user %fullname% doesn't have a Microsoft 365 account.", "Warning")
    return
}

$users = Get-MgUser -UserId $objectId


# Set the group to add disabled MFA users
$disabledMfaGroup = "MFA Not Enabled"

# Get the AD group
$adGroup = Get-ADGroup -Identity $disabledMfaGroup

#loop through each user account
foreach ($user in $users) {

    Write-Host  "`n$($user.UserPrincipalName)";
    $myObject = [PSCustomObject]@{
        user               = "-"
        MFAstatus          = "_"
        email              = "-"
        fido2              = "-"
        app                = "-"
        password           = "-"
        phone              = "-"
        softwareoath       = "-"
        tempaccess         = "-"
        hellobusiness      = "-"
    }

    $MFAData=Get-MgUserAuthenticationMethod -UserId $user.UserPrincipalName

    $myobject.user = $user.UserPrincipalName;

    #check authentication methods for each user
    ForEach ($method in $MFAData) {

        Switch ($method.AdditionalProperties["@odata.type"]) {
            "#microsoft.graph.emailAuthenticationMethod"  { 
                $myObject.email = $true 
                $myObject.MFAstatus = "Enabled"
            } 
            "#microsoft.graph.fido2AuthenticationMethod" { 
                $myObject.fido2 = $true 
                $myObject.MFAstatus = "Enabled"
            }    
            "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"  { 
                $myObject.app = $true 
                $myObject.MFAstatus = "Enabled"
            }    
            "#microsoft.graph.passwordAuthenticationMethod" {              
                $myObject.password = $true 
                # When only the password is set, then MFA is disabled.
                if($myObject.MFAstatus -ne "Enabled")
                {
                    $myObject.MFAstatus = "Disabled"
                }                
            }     
            "#microsoft.graph.phoneAuthenticationMethod"  { 
                $myObject.phone = $true 
                $myObject.MFAstatus = "Enabled"
            }   
            "#microsoft.graph.softwareOathAuthenticationMethod"  { 
                $myObject.softwareoath = $true 
                $myObject.MFAstatus = "Enabled"
            }           
            "#microsoft.graph.temporaryAccessPassAuthenticationMethod"  { 
                $myObject.tempaccess = $true 
                $myObject.MFAstatus = "Enabled"
            }           
            "#microsoft.graph.windowsHelloForBusinessAuthenticationMethod"  { 
                $myObject.hellobusiness = $true 
                $myObject.MFAstatus = "Enabled"
            }                   
        }

        # If MFA is not enabled, add user to the Disabled MFA Users AD group
        if($myObject.MFAstatus -eq "Disabled") {

            #Set Adaxes Flag to easily find users who aren't compliant
            $Context.TargetObject.Put($attributeName, $MFAValue)
            $Context.TargetObject.SetInfo()

            # Get the AD user using the UPN
            $adUser = Get-ADUser -Filter {UserPrincipalName -eq $user.UserPrincipalName}
            # Check if the user is already in the group

            if(!(Get-ADGroupMember -Identity $adGroup -Recursive | Where-Object {$_.SamAccountName -eq $adUser.SamAccountName})) {
                # If not, add the user to the group
                Add-ADGroupMember -Identity $adGroup -Members $adUser
            }
        }
    }

    ##Collecting objects
    $results+= $myObject;
}

# Save results to a compliance folder 
$results | Out-File -FilePath 'D:\MFA List.txt' -Append

---

Hello,

The script itself looks fine. How exactly do you execute it? Does the issue occur for all users or only for some? Does it occur for the same accounts on each run?

Also, please, specify the version of Adaxes (including the build number) you are currently using. For information on how to check it, have a look at the following help article: https://www.adaxes.com/help/CheckServiceVersion.

Any additional details will be much appreciated.

---

Sorry for the delay - I'm attempting to run this as a scheduled task weekly on an AD security group that is populated with new users who started over the past month.

Adaxes verison 3.16.21627.0 (64 bit)

---

Hello,

What about the other questions from our previous post? Here they are again:

• Does the issue occur for all users or only for some?
• Does it occur for the same accounts on each run?

Also, please, specify the quantity of users in the group and provide a screenshot of the scheduled task including the full Activity Scope section. You can post the screenshot here or send it to us at support@adaxes.com.