Blog Details

In today's security-conscious environment, understanding and managing user authentication methods is crucial. This blog post will guide you through using a PowerShell script that leverages Microsoft Graph to retrieve phone authentication methods for your users, enabling you to enhance security audits and user management.

Why Retrieve Phone Authentication Methods?

• Security Audits: Verify and track phone numbers used for MFA.
• User Management: Ensure accurate and up-to-date user authentication information.
• Compliance: Meet security compliance requirements by documenting authentication methods.
• Troubleshooting: Resolve user authentication issues efficiently.
• Security Reporting: Generate reports for security analysis and monitoring.

Understanding the PowerShell Script:

This script connects to Microsoft Graph and retrieves phone authentication methods for all users in your tenant. It then exports the data to a CSV file, making it easy to analyze and share.

PowerShell
Copy
# Ensure Microsoft Graph SDK is installed
# Install-Module Microsoft.Graph -Force

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All"

# Initialize a list to store results
$Results = @()

# Get all users
$Users = Get-MgUser -All

# Loop through each user
foreach ($User in $Users) {
    $UserPrincipalName = $User.UserPrincipalName
    Write-Host "Processing user: $UserPrincipalName"

    try {
        # Get phone authentication methods
        $PhoneMethods = Get-MgUserAuthenticationPhoneMethod -UserId $User.Id

        # Initialize phone number placeholders
        $Phones = @($null, $null, $null, $null, $null)  # Supports up to 5 numbers

        # Store phone numbers sequentially
        $PhoneIndex = 0
        foreach ($PhoneMethod in $PhoneMethods) {
            if ($PhoneIndex -lt 5) {  # Limit to 5 numbers
                $Phones[$PhoneIndex] = $PhoneMethod.PhoneNumber
            }
            $PhoneIndex++
        }

        # Create an ordered object
        $UserResult = [PSCustomObject]@{
            Email   = $UserPrincipalName
            Mobile1 = $Phones[0]
            Mobile2 = $Phones[1]
            Mobile3 = $Phones[2]
            Mobile4 = $Phones[3]
            Mobile5 = $Phones[4]
        }

        # Add to the results list
        $Results += $UserResult

    } catch {
        Write-Host "Error processing user: $UserPrincipalName - $_" -ForegroundColor Red
    }
}

# Export results to CSV with fixed column order
$Results | Select-Object Email, Mobile1, Mobile2, Mobile3, Mobile4, Mobile5 | `
    Export-Csv -Path "C:\PhoneMethodsReport.csv" -NoTypeInformation

# Disconnect from Microsoft Graph
Disconnect-MgGraph
  

Key Features:

• Microsoft Graph Integration: Uses the Microsoft.Graph module to interact with Microsoft Graph.
• User Retrieval: Retrieves all users using Get-MgUser.
• Phone Method Retrieval: Retrieves phone authentication methods using Get-MgUserAuthenticationPhoneMethod.
• Error Handling: Includes error handling to manage potential issues during user processing.
• CSV Export: Exports the results to a CSV file with a fixed column order.
• Multiple Phone Number Support: Supports up to five phone numbers per user.

Prerequisites:

• Microsoft Graph SDK: Ensure the Microsoft.Graph module is installed. Use Install-Module Microsoft.Graph -Force to install it.
• Microsoft Graph Permissions: The script requires the User.Read.All and UserAuthenticationMethod.Read.All permissions.

Step-by-Step Guide to Using the Script:

• Install the Microsoft Graph SDK:
• Open PowerShell as an administrator.
• Run Install-Module Microsoft.Graph -Force.
• Connect to Microsoft Graph:
• Run Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All".
• Authenticate with your Microsoft 365 account.
• Run the Script:
• Save the script as a .ps1 file (e.g., PhoneMethodsReport.ps1).
• Open PowerShell and navigate to the script's directory.
• Run the script: .\PhoneMethodsReport.ps1.
• View the Report:
• The script generates a CSV file named C:\PhoneMethodsReport.csv.
• Open the CSV file to view the phone authentication methods.
• Disconnect from Microsoft Graph:
• Run Disconnect-MgGraph.

Script Breakdown:

• Connect-MgGraph: Connects to Microsoft Graph with the necessary permissions.
• Get-MgUser: Retrieves all users from the tenant.
• Get-MgUserAuthenticationPhoneMethod: Retrieves phone authentication methods for each user.
• Error Handling (try-catch): Manages errors during user processing.
• CSV Export (Export-Csv): Exports the results to a CSV file.
• Disconnect-MgGraph: Disconnects from Microsoft Graph.

Best Practices:

• Permissions: Ensure the account running the script has the necessary Microsoft Graph permissions.
• Error Handling: Review error logs to identify and address any issues.
• Regular Reporting: Schedule the script to run regularly for ongoing security monitoring.
• Secure Storage: Store the generated CSV file securely.

Conclusion:

This PowerShell script provides a valuable tool for retrieving phone authentication methods from Microsoft Graph, enabling you to enhance security audits and user management. By automating this process, you can ensure accurate and up-to-date user authentication information.

Have you used Microsoft Graph to retrieve phone authentication methods? Contact us today if you need assistance with Microsoft Graph or PowerShell scripting.