Forum Discussion
Solved
View and unblock users that are blocked by MFA using Powershell
How can I view and unblock uses that have become blocked using MFA in Powershell The following https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/BlockedUser...
AloisPommerais
Not sure how far you got on this, but this is what i have done in the sense of get the blocked accounts, based on the feedback from Compulinx above.Import-Module Microsoft.Graph.Reports Connect-Graph -Scopes "AuditLog.Read.All" -TenantId "{TENANT_ID}" $Filter = "activityDisplayName eq 'Fraud reported - user is blocked for MFA'" Get-MgAuditLogDirectoryAudit -Filter $Filter | Select -ExpandProperty TargetResources
So now i can see that something/Someone have reported fraud, next step is how to unblock.
Hope that help others on the way, please revert if you have a way of showing who it is and how to unblock.
AloisPommerais
Not sure how far you got on this, but this is what i have done in the sense of get the blocked accounts, based on the feedback from Compulinx above.
Import-Module Microsoft.Graph.Reports
Connect-Graph -Scopes "AuditLog.Read.All" -TenantId "{TENANT_ID}"
$Filter = "activityDisplayName eq 'Fraud reported - user is blocked for MFA'"
Get-MgAuditLogDirectoryAudit -Filter $Filter | Select -ExpandProperty TargetResources
So now i can see that something/Someone have reported fraud, next step is how to unblock.
Hope that help others on the way, please revert if you have a way of showing who it is and how to unblock.
Yep pretty good jvinterberg. The API call I use is:
$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'UserManagement' and activitydisplayname eq 'Fraud reported - user is blocked for MFA"
Works nicely
$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'UserManagement' and activitydisplayname eq 'Fraud reported - user is blocked for MFA"
Works nicely