Forum Discussion

Copper Contributor

Nov 11, 2020

Solved

View and unblock users that are blocked by MFA using Powershell

How can I view and unblock uses that have become blocked using MFA in Powershell The following https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/BlockedUser...

Azure Active Directory (AAD)

Identity Management

microsoft 365

jvinterberg
Nov 23, 2022
AloisPommerais

Not sure how far you got on this, but this is what i have done in the sense of get the blocked accounts, based on the feedback from Compulinx above.

Import-Module Microsoft.Graph.Reports Connect-Graph -Scopes "AuditLog.Read.All" -TenantId "{TENANT_ID}" $Filter = "activityDisplayName eq 'Fraud reported - user is blocked for MFA'" Get-MgAuditLogDirectoryAudit -Filter $Filter | Select -ExpandProperty TargetResources

So now i can see that something/Someone have reported fraud, next step is how to unblock.
Hope that help others on the way, please revert if you have a way of showing who it is and how to unblock.

seetak

Copper Contributor

Apr 14, 2024

Compulinx

To view and unblock users who have been blocked by Multi-Factor Authentication (MFA) using PowerShell, you can use Microsoft's Azure Active Directory PowerShell module. Below are the steps to achieve this:

View Blocked Users

Install AzureAD Module: If you haven't installed the AzureAD module yet, you can install it by running the following command in PowerShell as an administrator:
```
Install-Module -Name AzureAD
```
Connect to Azure AD: Connect to your Azure AD by running:
```
Connect-AzureAD
```

List Blocked Users: Run the following command to list all blocked users:

Get-AzureADUser -All $true | Where-Object {$_.StrongAuthenticationDetail.State -eq "Blocked"}

Unblock Users

To unblock a specific user, you can use the following command:

Set-AzureADUser -ObjectId <UserObjectId> -StrongAuthenticationDetail @{State="Enabled"}

Replace <UserObjectId> with the Object ID of the user you want to unblock.

Using Microsoft Graph API

If you prefer using Microsoft Graph API to achieve the same, you can make a REST call to the Graph API. Here's an example using PowerShell:

$accessToken = "YOUR_ACCESS_TOKEN"
$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

$blockedUsersEndpoint = "https://graph.microsoft.com/v1.0/reports/getMfaDetail"
$blockedUsers = Invoke-RestMethod -Uri $blockedUsersEndpoint -Headers $headers -Method Get

$blockedUsers.value | Where-Object {$_.state -eq "Blocked"} | Select-Object UserPrincipalName

Replace YOUR_ACCESS_TOKEN with your actual access token. You'll need to authenticate and obtain this token beforehand.

Note

Make sure you have the necessary permissions to view and manage MFA settings for users in your Azure AD tenant. Always be https://github.com/heboh/belajarRmudah when making changes to user accounts to avoid unintended consequences.

DenisT
Iron Contributor
Jun 03, 2024
seetak
I don't think Get-AzureADuser has a property StrongAuthenticationDetail?
Can't seem to return it. Also doesn't show up in Get-Member
Compulinx
Copper Contributor
Apr 14, 2024
https://graph.microsoft.com/v1.0/reports/getMfaDetail does not work for me
This works:
This will provide a historic list of blocked users
$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'UserManagement' and activitydisplayname eq 'Fraud reported - user is blocked for MFA'"

$res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
$blockedUsers = $res.value.targetResources.userPrincipalName

This will provide details on who cleared the block

$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'Policy'"
$res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
$res.value|? activityDisplayName -Match "clear"
$res = $res.value|? activityDisplayName -Match "clear"
$listofclearedusers = $res.targetResources.userPrincipalName

The two lists are subtracted
$blockedUsers |? {$_ -NotIn $listofclearedusers}