The script can be used to obtain the status of multi-factor authentication for a user in Microsoft 365 (Office 365). To execute the script, use the Run a program or PowerShell script action in a custom command, business rule or scheduled task. To connect to Microsoft 365, the script uses the credentials specified in the Run As section of the action settings.
For the script to work, you need to install Microsoft Azure Active Directory Module on each computer where Adaxes service is running.
PowerShell
# Get Microsoft 365 Object ID
try
{
$objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
$Context.LogMessage("The user %fullname% doesn't have a Microsoft 365 account.", "Warning")
return
}
# Connect to Azure AD
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential
# Output MFA status
$user = Get-MsolUser -ObjectId $objectId
if ($user.StrongAuthenticationRequirements.State -ne $NULL)
{
$Context.LogMessage("Multi-factor authentication is enabled for user %fullname%.", "Information")
}
else
{
$Context.LogMessage("Multi-factor authentication is disabled for user %fullname%.", "Information")
}
I like to get an overview of missed mfa activations for a complete OU.
Looks like I can only run this one by one.
Any chance to let it run for multiple users and get simple overview which ones need to be activated?
This particular script can only be executed on a single user. If you need information for multiple users, we can provide you with another script that will be used to generate a report. For us to provide you with a solution, please, specify the version of Adaxes you are currently using. For information on how to check that, seehttps://www.adaxes.com/help/?HowDoI.ManageService.CheckAdaxesServiceVersion.html.
Any additional details and live examples of the desired behavior will be much appreciated.
As it was mentioned above, we do not have such a script in our repository and to provide it we need to know the Adaxes version and what exactly should be included into the report. Once we have the information, we will be able to provide the script.
version: 3.13.18625 (latest)
report: username: status(disabled/enabled/enforced)
report runs on OU
would be great!
Thank you for the provided details. Please, have a look at the following script from our repository: https://www.adaxes.com/script-repository/status-of-users-mfa-in-microsoft-365-s601.htm.
The script is intended to generate a report of users and their MFA statuses in Microsoft 365. It cannot be executed for a single user. The scope should be an OU or container.
You cannot call a method on a null-valued expression.
At C:\temp\user-mfa.ps1:8 char:5
+ $Context.LogMessage("The user %fullname% doesn't have a Microsoft ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
ConvertTo-SecureString : Cannot bind argument to parameter 'String' because it is null.
At C:\temp\user-mfa.ps1:13 char:64
+ ... rtTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertToSe
cureStringCommand
Yes, the script was tested and works fine. It can only be used in Adaxes (e.g. in a business rule or custom command). The script cannot be executed in Windows PowerShell as it uses built-in Adaxes variable $Context.