Forum Discussion
Compulinx
Nov 11, 2020Copper Contributor
View and unblock users that are blocked by MFA using Powershell
How can I view and unblock uses that have become blocked using MFA in Powershell
The following
Provides a listing of uses that have become blocked using MFA. In my case, most of the uses listed are a consequence of badly managed MFA registration. But what I really need is to be able to view the listing in Powershell, and potentially unblock the user in Powershell. If unblocking is not possible then viewing would be a start. Perhaps a REST call to the GRAPH API? Anything would help..
//A
AloisPommerais
Not sure how far you got on this, but this is what i have done in the sense of get the blocked accounts, based on the feedback from Compulinx above.Import-Module Microsoft.Graph.Reports Connect-Graph -Scopes "AuditLog.Read.All" -TenantId "{TENANT_ID}" $Filter = "activityDisplayName eq 'Fraud reported - user is blocked for MFA'" Get-MgAuditLogDirectoryAudit -Filter $Filter | Select -ExpandProperty TargetResources
So now i can see that something/Someone have reported fraud, next step is how to unblock.
Hope that help others on the way, please revert if you have a way of showing who it is and how to unblock.
- seetakCopper Contributor
To view and unblock users who have been blocked by Multi-Factor Authentication (MFA) using PowerShell, you can use Microsoft's Azure Active Directory PowerShell module. Below are the steps to achieve this:
View Blocked Users
Install AzureAD Module: If you haven't installed the AzureAD module yet, you can install it by running the following command in PowerShell as an administrator:
Install-Module -Name AzureAD
Connect to Azure AD: Connect to your Azure AD by running:
Connect-AzureAD
List Blocked Users: Run the following command to list all blocked users:
Get-AzureADUser -All $true | Where-Object {$_.StrongAuthenticationDetail.State -eq "Blocked"}
Unblock Users
To unblock a specific user, you can use the following command:
Set-AzureADUser -ObjectId <UserObjectId> -StrongAuthenticationDetail @{State="Enabled"}
Replace <UserObjectId> with the Object ID of the user you want to unblock.
Using Microsoft Graph API
If you prefer using Microsoft Graph API to achieve the same, you can make a REST call to the Graph API. Here's an example using PowerShell:
$accessToken = "YOUR_ACCESS_TOKEN" $headers = @{ "Authorization" = "Bearer $accessToken" "Content-Type" = "application/json" } $blockedUsersEndpoint = "https://graph.microsoft.com/v1.0/reports/getMfaDetail" $blockedUsers = Invoke-RestMethod -Uri $blockedUsersEndpoint -Headers $headers -Method Get $blockedUsers.value | Where-Object {$_.state -eq "Blocked"} | Select-Object UserPrincipalName
Replace YOUR_ACCESS_TOKEN with your actual access token. You'll need to authenticate and obtain this token beforehand.
Note
Make sure you have the necessary permissions to view and manage MFA settings for users in your Azure AD tenant. Always be cautious when making changes to user accounts to avoid unintended consequences.
- CompulinxCopper Contributor
https://graph.microsoft.com/v1.0/reports/getMfaDetail does not work for me
This works:
This will provide a historic list of blocked users
$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'UserManagement' and activitydisplayname eq 'Fraud reported - user is blocked for MFA'"
$res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
$blockedUsers = $res.value.targetResources.userPrincipalName
This will provide details on who cleared the block
$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'Policy'"
$res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
$res.value|? activityDisplayName -Match "clear"
$res = $res.value|? activityDisplayName -Match "clear"
$listofclearedusers = $res.targetResources.userPrincipalName
The two lists are subtracted
$blockedUsers |? {$_ -NotIn $listofclearedusers}
- Greg AllenCopper Contributor
- CompulinxCopper ContributorNope!
//A- CompulinxCopper ContributorActually partially yes..
This is the rest call to find the blocked users:
$filters= "activityDisplayName eq 'Fraud reported - user is blocked for MFA'"
$uri = "https://graph.microsoft.com/beta/auditLogs/directoryaudits?api-version=beta&filter=$($filters)"
I'm not aware of any way to do this programmatically, but others might prove me wrong 🙂
- CompulinxCopper Contributor
VasilMichev I hope they do!