Skip to content

Commit

Permalink
Update Export-MsIdAzureMfaReport.ps1
Browse files Browse the repository at this point in the history
  • Loading branch information
merill committed Jun 8, 2024
1 parent 58aad19 commit 935c27d
Showing 1 changed file with 13 additions and 12 deletions.
25 changes: 13 additions & 12 deletions src/Export-MsIdAzureMfaReport.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@
- Required Microsoft Entra role: **Global Reader**
- Required permission scopes: **Directory.Read.All**, **AuditLog.Read.All**, **UserAuthenticationMethod.Read.All**
* This report will assist you in assessing the impact of the [Microsoft will require MFA for all Azure users](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-will-require-mfa-for-all-azure-users/ba-p/4140391) rollout on your tenant.*
### Output
![Screenshot of a sample Azure MFA report](../assets/export-msidazuremfareport-sample.png)
* This report will assist you in assessing the impact of the [Microsoft will require MFA for all Azure users](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-will-require-mfa-for-all-azure-users/ba-p/4140391) rollout on your tenant.
.DESCRIPTION
### Consenting to permissions
If this is the first time running `Connect-MgGraph` with the permission scopes listed above, the user consenting to the permissions will need to be in one of the following roles:
Expand All @@ -31,8 +31,9 @@
After the initial consent the `Export-MsIdAzureMfaReport` cmdlet can be run by any user with the Microsoft Entra **Global Reader** role.
### Third party multi-factor authentication
The `MFA status` in this report is based on authentication methods registered by the user in Microsoft Entra. The `MFA status` is not applicable if your tenant uses a third party multi-factor authentication provider (including [Custom Controls](https://learn.microsoft.com/entra/identity/conditional-access/controls)).
### Identity federation and third-party multi-factor authentication
The `MFA status` in this report may not be accurate if you use identity federation or a third-party multi-factor authentication provider. See [MFA Status when using identity federation](#mfa-status-when-using-identity-federation).
### PowerShell 7.0
This cmdlet requires [PowerShell 7.0](https://learn.microsoft.com/powershell/scripting/install/installing-powershell) or later.
Expand Down Expand Up @@ -84,21 +85,21 @@
Export-MsIdAzureMfaReport ./report.xlsx -SignInsJsonPath ./signins.json
```
### MFA Status and Authentication Methods
### Delay in reporting MFA Status and Authentication Methods
The 'MFA Status' does not immediately reflect changes made to the user's authentication methods. Expect a delay of up to 24 hours for the report to reflect the latest MFA status.
The **MFA Status** does not immediately reflect changes made to the user's authentication methods. Expect a delay of up to 24 hours for the report to reflect the latest MFA status.
To get the latest MFA status use the `-UseAuthenticationMethodEndPoint` switch. This will use the user authentication method endpoint which is slower but reflects the latest MFA status.
To get the latest MFA status use the `-UseAuthenticationMethodEndPoint` switch. This option will get the latest user details but will take longer to export.
### Incorrect MFA Status when using identity federation
### MFA Status when using identity federation
Tenants configured with identity federation may not have accurate an **MFA Status** in this report unless MFA is enforced for Azure Portal access.
Tenants configured with identity federation may not have an accurate **MFA Status** in this report unless MFA is enforced for Azure Portal access.
To resolve this:
- Enforce MFA for these users using Conditional Access or Security Defaults.
- Entra ID premium tenants: [Conditional Access policy - Require MFA for Azure management](https://learn.microsoft.com/entra/identity/conditional-access/howto-conditional-access-policy-azure-management)
- Entra ID free tenants: [Security Defaults](https://learn.microsoft.com/entra/fundamentals/security-defaults)
- [Conditional Access policy - Require MFA for Azure management](https://learn.microsoft.com/entra/identity/conditional-access/howto-conditional-access-policy-azure-management) for Entra ID premium tenants.
- [Security Defaults](https://learn.microsoft.com/entra/fundamentals/security-defaults) for Entra ID free tenants.
- Request users to sign in to the Azure portal.
- Re-run this report to confirm their MFA status.
#>
Expand Down

0 comments on commit 935c27d

Please sign in to comment.