Check users for security assessment, bringing up MFA information, MS 365 license, Azure AD role, last login, user lock.
Install-Module -Name Az.AdmGet-AzGraphUser -upn test@contoso.onmicrosoft.com -tenantdomain contoso.onmicrosoft.com -ClientID 00000000-0000-0000-0000-00000000 -ClientSecret 0000zzzz0000zzzz0000zzzz
In the repository you will see an example script.
With this script you can get this result.
Connect in your subscription
Connect-AzAccount Run the AssessmentSecurity.ps1 script
. .\AssessmentSecurity.ps1output:
.SYNOPSIS
#################################################################################################################
# Created by: Diogo De Santana Jacome #
# Co-creator: Luan Victor Cordeiro Levandoski #
# Modified by: Diogo De Santana Jacome #
# #
# #
# Version: 1.0 #
# #
# #
#################################################################################################################
Get-AzGraphUser is an advanced function that can be used to verify all users, MFA, MS 365 license, Azure AD role, last login, user lock.
.DESCRIPTION
Get-AzGraphUser is an advanced function that can be used to verify all users, MFA, MS 365 license, Azure AD role, last login, user lock.
You need a Service Principal that can access the graph API. API Permissions:
AuditLog.Read.All
Directory.Read.All
Group.Read.All
User.Read.All
UserAuthenticationMethod.Read.All
You need to have role Reader permission on Azure subscription and in Azure AD
This function will download a CSV spreadsheet about the Microsoft Upgraded license
Licensing-service-plan-reference: https://docs.microsoft.com/En-us/azure/active-directory/enterprise-users/licensing-service-plan-reference
.EXAMPLE
C:\PS> Get-AzGraphUser -upn [email protected] -tenantdomain contoso.onmicrosoft.com -ClientID 00000000-0000-0000-0000-00000000 -ClientSecret 0000zzzz0000zzzz0000zzzz
.EXAMPLE
C:\PS> Get-AzGraphUser -upn [email protected] -tenantdomain contoso.onmicrosoft.com -ClientID 00000000-0000-0000-0000-00000000 -ClientSecret 0000zzzz0000zzzz0000zzzz | export-csv report-security.csv
.EXAMPLE
C:\PS> $Users_Ids_Dev = (Get-AzADGroupMember -GroupDisplayName GP-Dev).id
C:\PS> $Rbac_GP = Get-AzADGroupRBAC -Group GP-Dev
C:\PS> Foreach ( $Users in $Users_Ids_Dev){
$upn = (Get-AzADUser -ObjectId $Users).UserPrincipalName
$Users_Graph_All Get-AzGraphUser -upn $upn -tenantdomain contoso.onmicrosoft.com -ClientID 00000000-0000-0000-0000-00000000 -ClientSecret 0000zzzz0000zzzz0000zzzz}
C:\PS> $ListAll = ($Rbac_GP | Merge-Object $Users_Graph_All -On SignInName)
C:\PS> $ListAll | export-csv Security-GP-Dev.csv
.EXAMPLE
C:\PS> $User_Ext = (Get-AzADUser | Where-Object UserPrincipalName -Like '*#EXT#@*').UserPrincipalName
C:\PS> $User_Ext_ALL = $User_Ext.replace('#', '%23')
C:\PS> Foreach ( $Users in $User_Ext_ALL){
Get-AzGraphUser -upn $Users -tenantdomain contoso.onmicrosoft.com -ClientID 00000000-0000-0000-0000-00000000 -ClientSecret 0000zzzz0000zzzz0000zzzz}
.LINK
https://github.com/Didjacome
You can use the Az.Adm Module in both Cloudshell and Powershell Desktop.
You need to have installed the modules:
| Modules | Version |
|---|---|
| Az.Accounts | 2.6.2 |
| Az.Resources | 5.1.0 |
This module performs API queries from graph, remember to give the correct permissions that are described in the help
By default to use graph API you need to have Azure AD premium 1