MFA Report

$loginURL = "https://login.microsoftonline.com"
$resource = "https://graph.microsoft.com"
$ClientSecret="qA-.-tt1A3rlu_4pe"
$ClientID="6301d5-e-45-6b4675a9a" # App id
$TenantName="test.onmicrosoft.com"
 
#Repeating Function to get an Access Token based on the parameters:
function RefreshToken($loginURL,$ClientID,$clientSecret,$tenantName)
{
$body = @{grant_type="client_credentials";client_id=$ClientID;client_secret=$ClientSecret;scope="https://graph.microsoft.com/.default"}
$oauthResponse = Invoke-RestMethod -Method POST -Uri $loginURL/$TenantName/oauth2/v2.0/token -Body $body
return $oauthResponse
}


 
#BUILD THE ACCESS TOKEN
$oauth=RefreshToken -loginURL $loginURL -resource $resource -ClientID $ClientID -clientSecret $ClientSecret -tenantName $TenantName
$Identity = $oauth.access_token
#$ClientSecret1 = "qA-.-tDjp6n5Wc9d84~tmset1A3rlu_4pe"
#$ClientSecret = ConvertTo-SecureString -String $ClientSecret1 -AsPlainText -Force

#$Token = Get-MsalToken -clientID $ClientID -tenantID $tenantId -Scope 'https://graph.microsoft.com/Policy.Read.All' -RedirectUri "https://login.microsoftonline.com/common/oauth2/nativeclient" -clientsecret $ClientSecret
#$Identity = $Token.AccessToken


$headerParams = @{'Authorization'="$($oauth.token_type) $($Identity)"}
$CAPolicies = "https://graph.microsoft.com/beta/conditionalAccess/policies"
#$CAPolicies = "https://graph.microsoft.com/beta/conditionalAccess/policies/06108f32-1950-4342-ae8f-968121a366d4"


$apirequest = (Invoke-WebRequest -Headers $headerParams -Uri $CAPolicies -Method GET)
$Logs = @()

foreach ($event in ($apirequest.Content | ConvertFrom-Json| select -ExpandProperty value))
{ 

$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "Policy ID" -Value $event.id
$Log | Add-Member -MemberType NoteProperty -Name "Policy Name" -Value $event.displayName
$Log | Add-Member -MemberType NoteProperty -Name  "Policy State" -value $event.state
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Last Updated Time" -value $event.modifiedDateTime
$Log | Add-Member -MemberType NoteProperty -Name "Policy Session Controls App Enforced Restrictions" -Value $event.sessionControls.applicationEnforcedRestrictions
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Session - CA App Control" -value $event.sessionControls.cloudAppSecurity
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Session - Sign in Frequency" -value $event.sessionControls.signInFrequency
$IncludedUsers = $event.conditions.users.includeUsers -join "; "
$Log | Add-Member -MemberType NoteProperty -Name "Policy Included Users" -Value $IncludedUsers
$ExcludedUsers = $event.conditions.users.excludeUsers -join "; "

$Log | Add-Member -MemberType NoteProperty -Name "Policy Excluded Users" -Value $ExcludedUsers 




$IncludedGroups = $event.conditions.users.includeGroups -join "; "
$Log | Add-Member -MemberType NoteProperty -Name "Policy Included Groups" -Value $IncludedGroups
$ExcludedGroups = $event.conditions.users.excludeGroups -join "; "

$Log | Add-Member -MemberType NoteProperty -Name "Policy Excluded Groups" -Value $ExcludedGroups # 


$IncludedRoles = $event.conditions.users.includeRoles -join "; "
$Log | Add-Member -MemberType NoteProperty -Name "Policy Included Roles" -Value $IncludedRoles
$ExcludedRoles = $event.conditions.users.excludeRoles -join "; "
$Log | Add-Member -MemberType NoteProperty -Name "Policy Excluded Roles" -Value $ExcludedRoles
$IncludedApps = $event.conditions.applications.includeApplications -join "; "

$Log | Add-Member -MemberType NoteProperty -Name  "Policy Included Applications" -value $IncludedApps
$ExcludedApps = $event.conditions.applications.excludeApplications -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Excluded Applications" -value $ExcludedApps
$IncludedUserActions = $event.conditions.applications.includeUserActions -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy User Actions" -value $IncludedUserActions
$ClientTypes = $event.conditions.clientAppTypes -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Conditions - Client Apps " -value $ClientTypes
$IncludedDevices = $event.conditions.devices.includeDeviceStates -join "; "
$Log | Add-Member -MemberType NoteProperty -Name "Policy Conditions - Included Device States" -Value $IncludedDevices
$ExcludedDevices = $event.conditions.devices.excludeDeviceStates -join "; "
$Log | Add-Member -MemberType NoteProperty -Name "Policy Conditions - Excluded Device States" -Value $ExcludedDevices
$IncludedLocations = $event.conditions.locations.includeLocations -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Conditions - Included Locations" -value $IncludedLocations
$ExcludedLocations = $event.conditions.locations.excludeLocations -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Conditions - Excluded Locations" -value $ExcludedLocations
$IncludedPlatforms = $event.conditions.platforms.includePlatforms -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Conditions - Included Device Platforms" -value $IncludedPlatforms
$ExcludedPlatforms = $event.conditions.platforms.excludePlatforms -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Conditions - Excluded Device Platforms" -value $ExcludedPlatforms
$SignInRiskLevels = $event.conditions.signInRiskLevels -join "; "
$Log | Add-Member -MemberType NoteProperty -Name "Policy Conditions - SignInRiskLevels" -Value $RiskLevels
$UserRiskLevels = $event.conditions.userRiskLevels -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Conditions - UserRiskLevels" -value $UserRiskLevels
$BuildInControls = $event.grantControls.builtInControls -join "; "
$Log | Add-Member -MemberType NoteProperty -Name "Policy Controls" -Value $BuildInControls
$AuthFactors = $event.grantControls.customAuthenticationFactors -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Auth Factors" -value $AuthFactors
$TermsOfUse = $event.grantControls.termsOfUse -join "; "
$Log | Add-Member -MemberType NoteProperty -Name  "Policy Terms Of Use" -value $TermsOfUse
$Logs += $Log

}


Write-host "Add the Path you'd like us to export the CSV file to, in the format of <c: sers="">\Desktop\Users.csv&gt;" -ForegroundColor white -BackgroundColor Black

$Logs | Export-CSV  "C:\Temp\MFA Report\Results.csv" -NoTypeInformation -Encoding UTF8
</c:>