Office365 Powershell

glenimp617 · 12 Nov 2020 at 13:58

Hi Everyone,

I have knocked up a quick powershell script to enforce MFA for all O365 users, however I need to exclude anyone who is a member of a certain group.

Here's the code I have come up with.

Can anyone do any better?

$users = Get-MsolUser -All | where {$_.StrongAuthenticationRequirements.state -notlike "Enforced"} | select userprincipalname

#--- Setting MFA status to Enforced ---
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enforced"
$sta = @($st)

foreach ($user in $users)
{
$user = $user.userprincipalname

foreach ($Group in (Get-MsolGroup -All | where-object {$_.displayname -eq "MFA-Excluded"}))
{
if (Get-MsolGroupMember -GroupObjectId $Group.ObjectId | where {$_.Emailaddress -notlike $user}) {
write-host "Setting MFA for user $user to Enforced" -ForegroundColor Green
Add-Content "C:\mfa\log.txt" "$Fulldate - Setting MFA for user $user to Enforced"
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}
}
}

Thanks!!

Terrier_Jimlad · 13 Nov 2020 at 21:27

What about something like this

Code:

$grouptoexclude = ***insert name of group***
$certaingroupmembers = (Get-MsolGroupMember -GroupObjectId $grouptoexclude -MemberObjectTypes user).ObjectId

Then change your query to something like

Code:

$users = Get-MsolUser -All | where {$_.StrongAuthenticationRequirements.state -notlike "Enforced" -and  $_.ObjectID -notin $certaingroupmembers} | select userprincipalname

You get the idea

glenimp617 · 14 Nov 2020 at 10:03

Terrier_Jimlad said:

What about something like this

Code:

$grouptoexclude = ***insert name of group***
$certaingroupmembers = (Get-MsolGroupMember -GroupObjectId $grouptoexclude -MemberObjectTypes user).ObjectId

Then change your query to something like

Code:

$users = Get-MsolUser -All | where {$_.StrongAuthenticationRequirements.state -notlike "Enforced" -and  $_.ObjectID -notin $certaingroupmembers} | select userprincipalname

You get the idea

Yeah, I see

I didn't think my code was very efficient lol

Thanks!!

Terrier_Jimlad · 14 Nov 2020 at 20:53

Just out of interest, why dont you have a conditional access rule that requires everyone to use MFA from non-trusted IPs and just add the group to the Exclusions - set it up once and forget about it, users will soon sign up for MFA

HungryHippos · 14 Nov 2020 at 21:52

I work for a company that does email services for various customers small and large, and I've seen first hand the damage that being hacked into can do.

I agree with the above poster, MFA should be used from non trusted locations. It's a tad annoying to re-verify if every now and then, but does mean you can be almost certain you'll never have to deal with people having their accounts compromised.

BigChin1 · 15 Nov 2020 at 09:26

Terrier_Jimlad said:
Just out of interest, why dont you have a conditional access rule that requires everyone to use MFA from non-trusted IPs and just add the group to the Exclusions - set it up once and forget about it, users will soon sign up for MFA

Conditional Access requires Azure AD Premium P1 subscription licenses, or products that include it. If he's using lower tier licenses like Exchange Online Plan 1, Microsoft 365 Business Standard, etc. additional spend would be required.

glenimp617 · 15 Nov 2020 at 11:02

Terrier_Jimlad said:
Just out of interest, why dont you have a conditional access rule that requires everyone to use MFA from non-trusted IPs and just add the group to the Exclusions - set it up once and forget about it, users will soon sign up for MFA

Yeah that's a good idea actually. We use conditional access to block anything outside the UK already. I think we started going down this route when we were starting to roll it out. Now we have everyone on it, there's no reason not to use those policies.

Terrier_Jimlad · 15 Nov 2020 at 19:46

TheOracle said:
Yeah that's a good idea actually. We use conditional access to block anything outside the UK already. I think we started going down this route when we were starting to roll it out. Now we have everyone on it, there's no reason not to use those policies.

Defo utilise it.

Just a word of warning in terms of blocking access from outside the UK as this recently caught me out. Plusnet (and probably more) bought a bunch of IPv4 addresses that originated from the US and gave them to UK broadband users as they were running out, and for some reason Office 365 was still detecting them as originated from the US so naturally blocked access. Took a while to figure out that's for sure!

Terrier_Jimlad · 15 Nov 2020 at 19:49

BigChin1 said:
Conditional Access requires Azure AD Premium P1 subscription licenses, or products that include it. If he's using lower tier licenses like Exchange Online Plan 1, Microsoft 365 Business Standard, etc. additional spend would be required.

So does MFA doesn't it, which would suggest he had AAD P1 for conditional access

BigChin1 · 15 Nov 2020 at 20:17

Terrier_Jimlad said:
So does MFA doesn't it, which would suggest he had AAD P1 for conditional access

Not necessarily, it wouldn't be Microsoft if it was straightforward. There are three main paths you can choose; Security defaults, Conditional Access policies, and Legacy per-user MFA. Security defaults is automatically applied to tenants created after 22nd October 2019 and requires all users to register for MFA (using MS Authenticator app only). So he isn't on this path currently (but can choose if he likes, though there are other conditions such as it disables all legacy protocols). Conditional Access policies as discussed previously. Legacy per-user MFA is still an option allowing the full range of SMS/voice/MS Authenticator/etc. authentication methods without requiring additional AAD P1 licences.

Further info:
https://docs.microsoft.com/en-gb/mi...hentication-microsoft-365?view=o365-worldwide