From f05bf3426eae25ceb6537ddae62fc31a79351df1 Mon Sep 17 00:00:00 2001 From: Moritz Engel Date: Wed, 15 Sep 2021 20:36:08 +0200 Subject: [PATCH 1/2] Activate mfa for group member --- Sync-Groups/Activate-Mfa.ps1 | 62 ++++++++++++++++++++++++++++++++++++ Sync-Groups/Readme.md | 11 +++++-- 2 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 Sync-Groups/Activate-Mfa.ps1 diff --git a/Sync-Groups/Activate-Mfa.ps1 b/Sync-Groups/Activate-Mfa.ps1 new file mode 100644 index 0000000..d5bfbdc --- /dev/null +++ b/Sync-Groups/Activate-Mfa.ps1 @@ -0,0 +1,62 @@ +param( + [string]$DIR = (Get-Location) +) + +if ($DIR -match '.+?\\$') { + $DIR = $DIR.Substring(0, $DIR.Length-1) +} + +if (Test-Path -Path "$DIR\password.txt") { + $username = "sync-admin@bdsu-connect.de" + + $secPasswordText = Get-Content "$DIR\password.txt" + $secPassword = $secPasswordText | ConvertTo-SecureString + + $credentials = New-Object System.Management.Automation.PSCredential ($username, $secPassword) +} + +if (!$credentials) { + $credentials = Get-Credential +} + + +Connect-MsolService -Credential $credentials | Out-Null + +Connect-AzureAD -Credential $credentials | Out-Null + +# remove existing Exchange Remote Sessions if any +Get-PSSession | Where-Object {$_.ComputerName -eq "outlook.office365.com"} | Remove-PSSession + +$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credentials -Authentication Basic -AllowRedirection +Import-PSSession $session +if (!$?) { + throw "Failed to import Exchange Remote Session" +} + +# Groups which require a mfa authentication +$mfaGroups = @{ + + "Group name" = "Distribution Group Object-Id" + +} + +$mfaGroups.GetEnumerator() | ForEach-Object{ + $groupId = $_.Value + $groupMember = Get-DistributionGroupMember -Identity $groupId + + + # Activate mfa for groups + foreach ($distUser in $groupMember) { + + $adUser = Get-AzureADUser -ObjectId $distUser.ExternalDirectoryObjectId + + $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement + $st.RelyingParty = "*" + $st.State = "Enabled" + $sta = @($st) + Set-MsolUser -UserPrincipalName $adUser.UserPrincipalName -StrongAuthenticationRequirements $sta + Write-Host $adUser.displayname " 2 FA enabled" + + } + +} \ No newline at end of file diff --git a/Sync-Groups/Readme.md b/Sync-Groups/Readme.md index 36e3f71..251248d 100644 --- a/Sync-Groups/Readme.md +++ b/Sync-Groups/Readme.md @@ -12,14 +12,19 @@ ermöglicht das automatische Sicherstellen, dass in bestimmten (Teams-)Gruppen ausschließlich interne Accounts zugelassen sind. Dadurch werden unsere internen IT-Policies technisch erzwungen. -## Zusätzliche Abhängigkeit -Um dieses Skript ausführen zu können, muss erst eine weitere Abhängigkeit -durch einen entsprechenden PowerShell-Befehl installiert werden. +## Zusätzliche Abhängigkeiten +Um diesee Skripte ausführen zu können, müssen erst weitere Abhängigkeiten +durch einen entsprechende PowerShell-Befehle installiert werden. ### [Microsoft Teams Module](https://docs.microsoft.com/de-de/microsoftteams/teams-powershell-overview) ```pwsh Install-Module MicrosoftTeams ``` +### [Microsoft MSOnline Module](https://docs.microsoft.com/en-us/powershell/azure/active-directory/overview?view=azureadps-1.0&preserve_view=true) +```pwsh +Install-Module MSOnline +``` +**Achtung**: Microsoft empfiehlt selbst, das Modul nicht mehr zu benutzen, allerdings wurde bis heute keine Alternative vorstellt, mit welchem anderen Modul die MFA aktiviert werden kann. Sobald es eine Alternative gibt, wird das Skript angepasst. ## Konfiguration Das Skript wird über zwei Variablen am Anfang konfiguriert: From 20d1bead4b506539470cb75caa2f4adb2af1b093 Mon Sep 17 00:00:00 2001 From: Moritz Engel Date: Thu, 25 Aug 2022 01:47:53 +0200 Subject: [PATCH 2/2] fixup! [Sync-Groups] Change login to new exchange module --- Sync-Groups/Sync-Groups-Admins.ps1 | 11 +---------- Sync-Groups/Sync-Groups.ps1 | 10 +--------- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/Sync-Groups/Sync-Groups-Admins.ps1 b/Sync-Groups/Sync-Groups-Admins.ps1 index 47475dd..994cc4c 100644 --- a/Sync-Groups/Sync-Groups-Admins.ps1 +++ b/Sync-Groups/Sync-Groups-Admins.ps1 @@ -20,16 +20,7 @@ if (!$credentials) { } Connect-AzureAD -Credential $credentials | Out-Null - -# remove existing Exchange Remote Sessions if any -Get-PSSession | Where-Object {$_.ComputerName -eq "outlook.office365.com"} | Remove-PSSession - -$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credentials -Authentication Basic -AllowRedirection -Import-PSSession $session -if (!$?) { - throw "Failed to import Exchange Remote Session" -} - +Connect-ExchangeOnline -Credential $credentials -ShowBanner:$false | Out-Null # Alle Gruppen initalisieren diff --git a/Sync-Groups/Sync-Groups.ps1 b/Sync-Groups/Sync-Groups.ps1 index e829b64..354e2af 100644 --- a/Sync-Groups/Sync-Groups.ps1 +++ b/Sync-Groups/Sync-Groups.ps1 @@ -61,15 +61,7 @@ if (!$credentials) { Connect-AzureAD -Credential $credentials | Out-Null Connect-MicrosoftTeams -Credential $credentials |Out-Null - -# remove existing Exchange Remote Sessions if any -Get-PSSession | Where-Object {$_.ComputerName -eq "outlook.office365.com"} | Remove-PSSession - -$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credentials -Authentication Basic -AllowRedirection -Import-PSSession $session -if (!$?) { - throw "Failed to import Exchange Remote Session" -} +Connect-ExchangeOnline -Credential $credentials -ShowBanner:$false | Out-Null <## # a null-safe wrapper around Compare-Object