Search code examples
powershellforeachmulti-factor-authentication

Few questions regarding Powershell ForEach MFA script

I'm working on a script to implement MFA deployment through Powershell. I'm connecting to an office365 and running the Get-MsolUser command to grab a list of users from AD (I believe). I'm putting it into an array which I'm then running through a ForEach loop. I'm not sure if this is even functional yet, but I'm trying to figure out how to exclude certain users from this loop as I don't want to activate MFA for domain admins.

Connect-MsolService
$array = @(Get-MsolUser | Select UserPrincipalName)
ForEach ($users in $array)
{ 
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName $users -StrongAuthenticationRequirements $sta
}

So I guess the 3 questions I have are:

  1. How can I exclude users with names matching a certain string such as "Admin, Administrator" in the Array?

  2. Is there anyway to take user input and apply it to the username/password fields for Connect-MsolService?

3)Is this code even functional as it stands or am I totally off the mark?

Solution

  • As commented, there are some enhancements to be made in your code.

    Try:

    Starting with your question 2)
    Connect-MsolService has a -Credential parameter and the easiest way to obtain that is by using the Get-Credential cmdlet:

    # ask for credentials to make the connection
$cred = Get-Credential -Message 'Please enter your credentials to connect to Azure Active Directory'
Connect-MsolService -Credential $cred

    Next, you want to define a list of users to exclude from being affected.

    $excludeTheseUsers = 'admin', 'user1', 'user2'  # etc.
# for using the regex `-notmatch` operator later, you need to combine the entries with the regex OR sign ('|'),
# but you need to make sure to escape special characters some names may contain
$excludes = ($excludeTheseUsers | ForEach-Object { [regex]::Escape($_) }) -join '|'

# create the StrongAuthenticationRequirement object just once, to use on all users
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)

# get an array of UserPrincipalNames
$array = (Get-MsolUser | Where-Object { $_.DisplayName -notmatch $excludes }).UserPrincipalName
foreach ($user in $array) {
    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}