cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

View and unblock users that are blocked by MFA using Powershell

Compulinx
Copper Contributor

‎Nov 11 2020 05:56 AM - last edited on ‎Jan 14 2022 04:27 PM by

‎Nov 11 2020 05:56 AM - last edited on ‎Jan 14 2022 04:27 PM by

View and unblock users that are blocked by MFA using Powershell

How can I view and unblock uses that have become blocked using MFA in Powershell

The following 

 https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/BlockedUser...

 

Provides a listing of uses that have become blocked using MFA. In my case, most of the uses listed are a consequence of badly managed MFA registration. But what I really need is to be able to view the listing in Powershell, and potentially unblock the user in Powershell. If unblocking is not possible then viewing would be a start. Perhaps a REST call to the GRAPH API? Anything would help..

 

//A

 

 

14.7K Views
0 Likes
10 Replies
Reply
10 Replies
Vasil Michev

‎Nov 11 2020 08:17 AM

‎Nov 11 2020 08:17 AM

Re: View and unblock users that are blocked by MFA using Powershell

I'm not aware of any way to do this programmatically, but others might prove me wrong :)

0 Likes
Reply
Greg Allen

‎Apr 14 2021 08:07 AM

‎Apr 14 2021 08:07 AM

Re: View and unblock users that are blocked by MFA using Powershell

@Compulinx 

Did you ever find a solution for this ?  Am needing the same myself.

thanks

0 Likes
Reply
Compulinx

‎Apr 14 2021 08:11 AM

‎Apr 14 2021 08:11 AM

Re: View and unblock users that are blocked by MFA using Powershell

Nope!

//A
0 Likes
Reply
Compulinx

‎Jan 27 2022 03:37 PM

‎Jan 27 2022 03:37 PM

Re: View and unblock users that are blocked by MFA using Powershell

Actually partially yes..

This is the rest call to find the blocked users:
$filters= "activityDisplayName eq 'Fraud reported - user is blocked for MFA'"
$uri = "https://graph.microsoft.com/beta/auditLogs/directoryaudits?api-version=beta&filter=$($filters)"




0 Likes
Reply
AloisPommerais

‎Apr 13 2022 05:41 AM

‎Apr 13 2022 05:41 AM

Re: View and unblock users that are blocked by MFA using Powershell

@Compulinx
Hello, can i have more information regarding your last message ?
Thanks a lot
 

0 Likes
Reply
best response confirmed by Compulinx (Copper Contributor)
jvinterberg

‎Nov 23 2022 06:04 AM - edited ‎Nov 24 2022 01:00 AM

‎Nov 23 2022 06:04 AM - edited ‎Nov 24 2022 01:00 AM

Solution

Re: View and unblock users that are blocked by MFA using Powershell

@AloisPommerais 

Not sure how far you got on this, but this is what i have done in the sense of get the blocked accounts, based on the feedback from @Compulinx above.

 

Import-Module Microsoft.Graph.Reports
Connect-Graph -Scopes "AuditLog.Read.All" -TenantId "{TENANT_ID}"
$Filter = "activityDisplayName eq 'Fraud reported - user is blocked for MFA'"
Get-MgAuditLogDirectoryAudit -Filter $Filter | Select -ExpandProperty TargetResources

 


So now i can see that something/Someone have reported fraud, next step is how to unblock.
Hope that help others on the way, please revert if you have a way of showing who it is and how to unblock.



0 Likes
Reply
Compulinx

‎Apr 14 2024 12:38 AM

‎Apr 14 2024 12:38 AM

Re: View and unblock users that are blocked by MFA using Powershell

Yep pretty good jvinterberg. The API call I use is:

$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'UserManagement' and activitydisplayname eq 'Fraud reported - user is blocked for MFA"

Works nicely
0 Likes
Reply
seetak

‎Apr 14 2024 12:59 AM

‎Apr 14 2024 12:59 AM

Re: View and unblock users that are blocked by MFA using Powershell

@Compulinx 

To view and unblock users who have been blocked by Multi-Factor Authentication (MFA) using PowerShell, you can use Microsoft's Azure Active Directory PowerShell module. Below are the steps to achieve this:

View Blocked Users

  1. Install AzureAD Module: If you haven't installed the AzureAD module yet, you can install it by running the following command in PowerShell as an administrator:

    Install-Module -Name AzureAD

  2. Connect to Azure AD: Connect to your Azure AD by running:

    Connect-AzureAD

  3. List Blocked Users: Run the following command to list all blocked users:

    Get-AzureADUser -All $true | Where-Object {$_.StrongAuthenticationDetail.State -eq "Blocked"}

Unblock Users

To unblock a specific user, you can use the following command:

Set-AzureADUser -ObjectId <UserObjectId> -StrongAuthenticationDetail @{State="Enabled"}

Replace <UserObjectId> with the Object ID of the user you want to unblock.

Using Microsoft Graph API

If you prefer using Microsoft Graph API to achieve the same, you can make a REST call to the Graph API. Here's an example using PowerShell:

$accessToken = "YOUR_ACCESS_TOKEN"
$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

$blockedUsersEndpoint = "https://graph.microsoft.com/v1.0/reports/getMfaDetail"
$blockedUsers = Invoke-RestMethod -Uri $blockedUsersEndpoint -Headers $headers -Method Get

$blockedUsers.value | Where-Object {$_.state -eq "Blocked"} | Select-Object UserPrincipalName

Replace YOUR_ACCESS_TOKEN with your actual access token. You'll need to authenticate and obtain this token beforehand.

Note

Make sure you have the necessary permissions to view and manage MFA settings for users in your Azure AD tenant. Always be cautious when making changes to user accounts to avoid unintended consequences.

0 Likes
Reply
Compulinx

‎Apr 14 2024 01:41 AM - edited ‎Apr 14 2024 01:43 AM

‎Apr 14 2024 01:41 AM - edited ‎Apr 14 2024 01:43 AM

Re: View and unblock users that are blocked by MFA using Powershell 

https://graph.microsoft.com/v1.0/reports/getMfaDetail does not work for me

This works:
This will provide a historic list of blocked users
$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'UserManagement' and activitydisplayname eq 'Fraud reported - user is blocked for MFA'"

$res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
$blockedUsers = $res.value.targetResources.userPrincipalName

This will provide details on who cleared the block

$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'Policy'"
$res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
$res.value|? activityDisplayName -Match "clear"
$res = $res.value|? activityDisplayName -Match "clear"
$listofclearedusers = $res.targetResources.userPrincipalName

The two lists are subtracted
$blockedUsers |? {$_ -NotIn $listofclearedusers}

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Compulinx (Copper Contributor)
jvinterberg

‎Nov 23 2022 06:04 AM - edited ‎Nov 24 2022 01:00 AM

‎Nov 23 2022 06:04 AM - edited ‎Nov 24 2022 01:00 AM

Solution

Re: View and unblock users that are blocked by MFA using Powershell

@AloisPommerais 

Not sure how far you got on this, but this is what i have done in the sense of get the blocked accounts, based on the feedback from @Compulinx above.

 

Import-Module Microsoft.Graph.Reports
Connect-Graph -Scopes "AuditLog.Read.All" -TenantId "{TENANT_ID}"
$Filter = "activityDisplayName eq 'Fraud reported - user is blocked for MFA'"
Get-MgAuditLogDirectoryAudit -Filter $Filter | Select -ExpandProperty TargetResources

 


So now i can see that something/Someone have reported fraud, next step is how to unblock.
Hope that help others on the way, please revert if you have a way of showing who it is and how to unblock.



View solution in original post

0 Likes
Reply