O365 - 多重身份验证 - 通过 Powershell 访问身份验证电话

tag-icon tag-icon active-directory office365 azure-activedirectory two-factor-authentication
O365 - 多重身份验证 - 通过 Powershell 访问身份验证电话

是否可以通过 Powershell 获取/设置身份验证电话?我发现一些旧文档说这可以通过旧的 MSOnline 模块实现,但我在新的 AzureAD 模块中找不到任何东西。

旧房产:StrongAuthenticationUserDetails

MSOnline 文档

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata#set-and-read-authentication-data-using-powershell

在此处输入图片描述

答案1

使用以下代码,您可以获得具有身份验证电话号码的 MFA 启用用户列表。

$Result=""   
$Results=@()  
Get-MsolUser -All | where{$_.StrongAuthenticationRequirements.State -ne ""} 
| foreach{
 $DisplayName=$_.DisplayName
 $MFAPhone=$_.StrongAuthenticationUserDetails.PhoneNumber
$Result=@{'DisplayName'=$DisplayName;'MFAPhone'=$MFAPhone}
$Results= New-Object PSObject -Property $Result
$Results | Select-Object DisplayName,MFAPhone | Export-CSV <FilePath> -Append -NoType
}

否则,您可以尝试下面的 PowerShell 脚本。

https://o365reports.com/2019/05/09/export-office-365-users-mfa-status-csv/

在此处输入图片描述

答案2

稍微重写一下Kathy 的回答

Get-MsolUser -All | where{
     $_.StrongAuthenticationRequirements.State -ne ""
} | Select  DisplayName,@{Name="MFAPhone";Expression={$_.StrongAuthenticationUserDetails.PhoneNumber}} | Export-CSV -NoType <Filename>

答案3

确实如此,但需要注意的是,AzureAD 模块还不够成熟,无法代替尚未完全包含 MSOnline (Msol) 模块。

要安装该模块,请参阅本页后面的部分:

https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-office-365-powershell

您需要创建一个强认证方法对象并使用Set-MsolUsercmdlet,如下所示:

我编写了这个脚本,其中包含所有四种强身份验证方法。请根据需要进行调整。

# Check Msol module installed and imported
If ((Get-Module -Name MSOnline)[0] -eq $null) {
    Install-Module -Name MSOnline -Force -AllowClobber
}
else
{
    Import-Module -Name MSOnline
}

# Popup login page if not logged in
Connect-MsolService

# Define variables (or adjust script to read from data source and loop)
$UserPrincipalName = "[email protected]"
$MobileNumber = "+01 234 567 890"
$AlternateMobiles = @("+02 345 678 901", "+03 456 789 012")

# Create new SAM objects
<#

    Supported SAM types:

    OneWaySMS            - Text code sent to mobile
    PhoneAppOTP          - Authenticator code
    PhoneAppNotification - Push notification
    TwoWayVoiceMobile    - Phone call

    Note: Probably not able to use the App methods unless enrolled
#>

$SAM1 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$SAM2 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$SAM3 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$SAM4 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

# Configure as required
$SAM1.IsDefault = $true          # <<<< Is default method
$SAM1.MethodType = "OneWaySMS"
$SAM2.IsDefault = $false
$SAM2.MethodType = "PhoneAppOTP"
$SAM3.IsDefault = $false
$SAM3.MethodType = "PhoneAppNotification"
$SAM4.IsDefault = $false
$SAM4.MethodType = "TwoWayVoiceMobile"

$SAMethods = @($SAM1, $SAM2, $SAM3, $SAM4)

Set-MsolUser -UserPrincipalName $UserPrincipalName -StrongAuthenticationMethods $SAMethods `
    -MobilePhone $MobileNumber -AlternateMobilePhones $AlternateMobiles

相关内容