Finding Azure Active Directory with Admin Roles Not Protected with MFA

Multi-Factor Authentication Should Be Enabled for Privileged Accounts

If, like me, you were impressed at the case laid out in the July 10 blog entitled Your Pa$$word doesn’t matter by Alex Weinert (Microsoft), you might wonder how to take his advice to “turn on MFA” for accounts. The process can take some time and user education because you can’t really enable MFA for “average users” if you don’t prepare them to deal with the resulting challenges, roll out the Microsoft Authenticator app, and so on.

Reporting Accounts with Administrative Roles

But one immediate step you can take is to clamp down on accounts holding one or more Azure Active Directory administrative roles that are not MFA-enabled. Microsoft has a new Azure Active Directory usage and insights report about authentication methods to inform tenants about the accounts that are/are not enabled for MFA and self-service password reset (Figure 1), but it doesn’t highlight accounts holding administrative roles.

Azure Active Directory Usage and Insights Report about MFA and SSPR
Figure 1: Azure Active Directory Usage and Insights Report about MFA and SSPR

We discussed reporting of MFA-enabled accounts previously, so we can build on the techniques explored there to come up with a PowerShell script to find and report accounts that need to be protected with MFA. Here’s the script that I came up with.

Note (16 July): I updated the script following a suggestion (see comments) to make sure that the right GUIDs are picked up for directory roles (they vary across tenants).

What the Script Does

The script is imperfect, quickly put together, and could do with improvement in terms of optimization and error handling, but it works. Here’s what it does.

  • Azure Active Directory defines directory roles to assign to accounts. In this case, we’re interested in some of the more highly-permissioned roles like Exchange Admin, so we use the Get-AzureADDirectoryRole cmdlet grab the GUIDs identifying these roles and put them in variables.
  • Use the Get-AzureADDirectoryRoleMember cmdlet and the GUIDs to populate another set of variables with details of the accounts that hold each role.
  • Use the Get-MsolUser cmdlet to form a collect of Azure Active Directory licensed accounts (yes, there’s an odd mix of the Azure AD V1 and V2 cmdlets in the script; that’s because I can’t work out how to get MFA information using the V2 cmdlets).
  • Check each account to see if it is MFA-enabled. If not, check if the account holds any of the roles we’re interested in and if so, flag it.
  • Generate a report of all accounts that are not MFA-enabled and export it to a CSV file (Figure 2). It’s easy to pick out the accounts whose security needs to be improved.
CSV file reporting accounts not enabled for MFA
Figure 2: CSV file reporting accounts not enabled for MFA

As always, we’re happy to hear about other approaches to the problem. Please post your ideas as a comment to this post.


Need more solutions to common Office 365 Admin problems? The Office 365 for IT Pros eBook is packed full of ideas…

Advertisements

5 Replies to “Finding Azure Active Directory with Admin Roles Not Protected with MFA”

  1. Hi
    I think you should limit the script to licensed accounts only.
    Unlicensed admin accounts should get licensed and then have MFA enforced, excluding one or two break-glass accounts.

    1. The script does filter for licensed member accounts… But because it’s PowerShell, you can do what you like to amend it.

  2. Thank you Tony. Great script.

    I had to modify the beginning to set different guids for my tenant as below.

    # Define GUIDs for the Privileged Roles (from Get-AzureADDirectoryRole)
    $UserAccountAdmin = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq ‘User Account Administrator’} | Select ObjectId
    $TenantAdmin = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq ‘Company Administrator’} | Select ObjectId
    $TeamsAdmin = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq ‘Lync Service Administrator’} | Select ObjectId
    $ExchangeAdmin = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq ‘Exchange Service Administrator’} | Select ObjectId
    $SharePointAdmin = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq ‘Sharepoint Service Administrator’} | Select ObjectId

    # Find out the set of accounts that hold these admin roles in the tenant
    $UserAccountAdmins = Get-AzureADDirectoryRoleMember -ObjectId $UserAccountAdmin.ObjectID | Select ObjectId, UserPrincipalName
    $TenantAdmins = Get-AzureADDirectoryRoleMember -ObjectId $TenantAdmin.ObjectID | Select ObjectId, UserPrincipalName
    $TeamsAdmins = Get-AzureADDirectoryRoleMember -ObjectId $TeamsAdmin.ObjectID | Select ObjectId, UserPrincipalName
    $ExchangeAdmins = Get-AzureADDirectoryRoleMember -ObjectId $ExchangeAdmin.ObjectID | Select ObjectId, UserPrincipalName
    $SharePointAdmins = Get-AzureADDirectoryRoleMember -ObjectId $SharePointAdmin.ObjectID | Select ObjectId, UserPrincipalName

    1. Thanks Paul… Your suggestions are good ones because the GUIDs could change from tenant to tenant.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.