Tuesday, June 20, 2023

Powershell - Microsoft Graph reports - Get MFA status of users.

Requires an App Registration be setup with proper API permissions and a self-signed certificate for authentication to it.


Select-MgProfile -Name "beta"

$TenantId = "XXXXX"

$AppId = "XXXXX"

Connect-MgGraph -ClientId $AppId -TenantId $TenantId -CertificateThumbprint "XXXXXXX"

$report = Get-MgReportCredentialUserRegistrationDetail -all

$report| select @{name="AuthMethods";e={$_.AuthMethods -join ","}},IsCapable,IsEnabled,IsMfaRegistered,IsRegistered,UserDisplayName,UserPrincipalName | Select UserPrincipalName,UserDisplayName,IsCapable,IsEnabled,IsMfaRegistered,IsRegistered,AuthMethods | export-csv -NoTypeInformation -Path "c:\reports\MFA - MFA Audit Logs.csv"


Thursday, June 1, 2023

Custom View for Events NTLMv1 on a DC


  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(EventID=4624)] and EventData[Data[@Name='LmPackageName']='NTLM V1']]</Select>