Forum Discussion

Compulinx's avatar
Compulinx
Copper Contributor
Nov 11, 2020

View and unblock users that are blocked by MFA using Powershell

How can I view and unblock uses that have become blocked using MFA in Powershell

The following 

 https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/BlockedUsers

 

Provides a listing of uses that have become blocked using MFA. In my case, most of the uses listed are a consequence of badly managed MFA registration. But what I really need is to be able to view the listing in Powershell, and potentially unblock the user in Powershell. If unblocking is not possible then viewing would be a start. Perhaps a REST call to the GRAPH API? Anything would help..

 

//A

 

 

  • jvinterberg's avatar
    jvinterberg
    Nov 23, 2022

    AloisPommerais 

    Not sure how far you got on this, but this is what i have done in the sense of get the blocked accounts, based on the feedback from Compulinx above.

     

    Import-Module Microsoft.Graph.Reports
    Connect-Graph -Scopes "AuditLog.Read.All" -TenantId "{TENANT_ID}"
    $Filter = "activityDisplayName eq 'Fraud reported - user is blocked for MFA'"
    Get-MgAuditLogDirectoryAudit -Filter $Filter | Select -ExpandProperty TargetResources

     


    So now i can see that something/Someone have reported fraud, next step is how to unblock.
    Hope that help others on the way, please revert if you have a way of showing who it is and how to unblock.



  • seetak's avatar
    seetak
    Copper Contributor

    Compulinx 

    To view and unblock users who have been blocked by Multi-Factor Authentication (MFA) using PowerShell, you can use Microsoft's Azure Active Directory PowerShell module. Below are the steps to achieve this:

    View Blocked Users

    1. Install AzureAD Module: If you haven't installed the AzureAD module yet, you can install it by running the following command in PowerShell as an administrator:

      Install-Module -Name AzureAD
    2. Connect to Azure AD: Connect to your Azure AD by running:

      Connect-AzureAD
      
    3. List Blocked Users: Run the following command to list all blocked users:

      Get-AzureADUser -All $true | Where-Object {$_.StrongAuthenticationDetail.State -eq "Blocked"}

    Unblock Users

    To unblock a specific user, you can use the following command:

    Set-AzureADUser -ObjectId <UserObjectId> -StrongAuthenticationDetail @{State="Enabled"}
    

    Replace <UserObjectId> with the Object ID of the user you want to unblock.

    Using Microsoft Graph API

    If you prefer using Microsoft Graph API to achieve the same, you can make a REST call to the Graph API. Here's an example using PowerShell:

    $accessToken = "YOUR_ACCESS_TOKEN"
    $headers = @{
        "Authorization" = "Bearer $accessToken"
        "Content-Type" = "application/json"
    }
    
    $blockedUsersEndpoint = "https://graph.microsoft.com/v1.0/reports/getMfaDetail"
    $blockedUsers = Invoke-RestMethod -Uri $blockedUsersEndpoint -Headers $headers -Method Get
    
    $blockedUsers.value | Where-Object {$_.state -eq "Blocked"} | Select-Object UserPrincipalName

    Replace YOUR_ACCESS_TOKEN with your actual access token. You'll need to authenticate and obtain this token beforehand.

    Note

    Make sure you have the necessary permissions to view and manage MFA settings for users in your Azure AD tenant. Always be cautious when making changes to user accounts to avoid unintended consequences.

    • DenisT's avatar
      DenisT
      Iron Contributor

      seetak 
      I don't think Get-AzureADuser has a property StrongAuthenticationDetail?
      Can't seem to return it. Also doesn't show up in Get-Member

    • Compulinx's avatar
      Compulinx
      Copper Contributor
      https://graph.microsoft.com/v1.0/reports/getMfaDetail does not work for me

      This works:
      This will provide a historic list of blocked users
      $uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'UserManagement' and activitydisplayname eq 'Fraud reported - user is blocked for MFA'"

      $res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
      $blockedUsers = $res.value.targetResources.userPrincipalName

      This will provide details on who cleared the block

      $uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'Policy'"
      $res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
      $res.value|? activityDisplayName -Match "clear"
      $res = $res.value|? activityDisplayName -Match "clear"
      $listofclearedusers = $res.targetResources.userPrincipalName

      The two lists are subtracted
      $blockedUsers |? {$_ -NotIn $listofclearedusers}

  • I'm not aware of any way to do this programmatically, but others might prove me wrong 🙂

Resources