0 votes

I'm new to the platform, so please bare with me. I'm working on business rule that checks for accounts in our new users OU to see if MFA is enabled. I have an Adaxes App in Azure with all the proper premissions, runnings the script outside of Axades works as expected but I don't know how to connect to MgGraph via Adaxes powershell

In Powershell I run Connect-MgGraph -ClientID 999999 -TenantId 9999999 -CertificateThumbprint 9999999 then proceed to run my script

When I put the same in Adaxes I get an error msg: Certificate with thumbprint '9999999' was not found in certificate store or has expired. Stack trace: at <ScriptBlock>, <No file>: line 12

I tried$graphToken = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com") Connect-MgGraph -AccessToken $graphToken

but that results in error: Cannot bind parameter 'AccessToken'. Cannot convert the "eyJ0eXAiOiJKV1QiLCJub25jZSI6ImiusaWfQ" value of type "System.String" to type "System.Security.SecureString". Stack trace: at <S criptBlock>, <No file>: line 12

Any help would be wonderful!

by (120 points)

1 Answer

0 votes
by (292k points)

Hello,

The approach with the $Context variable used to work fine. Looks like there were some changes in the PowerShell module. The following approach works fine:

$token = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com")
$token = $token | ConvertTo-SecureString -AsPlainText -Force
Connect-MgGraph -AccessToken $token
0

So i tried that, now I get the following error msg: Access token has expired or is not yet valid. Stack trace: Access token has expired or is not yet valid. Stack trace: at Get-MgUser<Process>

0

Hello,

Please, provide us with the full script you are using. Also, please, describe the desired behavior in all the possible details with live examples.

0

Thanks for the speedy replies!

Here is what are looking to do. Within a 2 week period after a new user starts we need to enable MFA. This script should use graph to check and see if MFA is enabled and present the method. If the user is not MFA enabled the user gets added to a security group which is queried by a business unit. I also have a custom attribute for MFA status that should be get set to false if MFA is disabled. Outside of Adaxes the script works - it drops the user in the security group and spits out the txt file that looks like this user : username@example.com MFAstatus : Disabled email : - fido2 : - app : - password : True phone : - softwareoath : - tempaccess : - hellobusiness : -

Here is the script:

$token = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com")
$token = $token | ConvertTo-SecureString -AsPlainText -Force
Connect-MgGraph -AccessToken $token

#Adaxes Flag for MFA
$attributeName = "adm-CustomAttributeBoolean12"
$MFAValue = 'False'

# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    $Context.LogMessage("The user %fullname% doesn't have a Microsoft 365 account.", "Warning")
    return
}

$users = Get-MgUser -UserId $objectId


# Set the group to add disabled MFA users
$disabledMfaGroup = "MFA Not Enabled"

# Get the AD group
$adGroup = Get-ADGroup -Identity $disabledMfaGroup

#loop through each user account
foreach ($user in $users) {

    Write-Host  "`n$($user.UserPrincipalName)";
    $myObject = [PSCustomObject]@{
        user               = "-"
        MFAstatus          = "_"
        email              = "-"
        fido2              = "-"
        app                = "-"
        password           = "-"
        phone              = "-"
        softwareoath       = "-"
        tempaccess         = "-"
        hellobusiness      = "-"
    }

    $MFAData=Get-MgUserAuthenticationMethod -UserId $user.UserPrincipalName

    $myobject.user = $user.UserPrincipalName;

    #check authentication methods for each user
    ForEach ($method in $MFAData) {

        Switch ($method.AdditionalProperties["@odata.type"]) {
            "#microsoft.graph.emailAuthenticationMethod"  { 
                $myObject.email = $true 
                $myObject.MFAstatus = "Enabled"
            } 
            "#microsoft.graph.fido2AuthenticationMethod" { 
                $myObject.fido2 = $true 
                $myObject.MFAstatus = "Enabled"
            }    
            "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"  { 
                $myObject.app = $true 
                $myObject.MFAstatus = "Enabled"
            }    
            "#microsoft.graph.passwordAuthenticationMethod" {              
                $myObject.password = $true 
                # When only the password is set, then MFA is disabled.
                if($myObject.MFAstatus -ne "Enabled")
                {
                    $myObject.MFAstatus = "Disabled"
                }                
            }     
            "#microsoft.graph.phoneAuthenticationMethod"  { 
                $myObject.phone = $true 
                $myObject.MFAstatus = "Enabled"
            }   
            "#microsoft.graph.softwareOathAuthenticationMethod"  { 
                $myObject.softwareoath = $true 
                $myObject.MFAstatus = "Enabled"
            }           
            "#microsoft.graph.temporaryAccessPassAuthenticationMethod"  { 
                $myObject.tempaccess = $true 
                $myObject.MFAstatus = "Enabled"
            }           
            "#microsoft.graph.windowsHelloForBusinessAuthenticationMethod"  { 
                $myObject.hellobusiness = $true 
                $myObject.MFAstatus = "Enabled"
            }                   
        }

        # If MFA is not enabled, add user to the Disabled MFA Users AD group
        if($myObject.MFAstatus -eq "Disabled") {

            #Set Adaxes Flag to easily find users who aren't compliant
            $Context.TargetObject.Put($attributeName, $MFAValue)
            $Context.TargetObject.SetInfo()

            # Get the AD user using the UPN
            $adUser = Get-ADUser -Filter {UserPrincipalName -eq $user.UserPrincipalName}
            # Check if the user is already in the group

            if(!(Get-ADGroupMember -Identity $adGroup -Recursive | Where-Object {$_.SamAccountName -eq $adUser.SamAccountName})) {
                # If not, add the user to the group
                Add-ADGroupMember -Identity $adGroup -Members $adUser
            }
        }
    }

    ##Collecting objects
    $results+= $myObject;
}

# Save results to a compliance folder 
$results | Out-File -FilePath 'D:\MFA List.txt' -Append
0

Hello,

The script itself looks fine. How exactly do you execute it? Does the issue occur for all users or only for some? Does it occur for the same accounts on each run?

Also, please, specify the version of Adaxes (including the build number) you are currently using. For information on how to check it, have a look at the following help article: https://www.adaxes.com/help/CheckServiceVersion.

Any additional details will be much appreciated.

0

Sorry for the delay - I'm attempting to run this as a scheduled task weekly on an AD security group that is populated with new users who started over the past month.

Adaxes verison 3.16.21627.0 (64 bit)

0

Hello,

What about the other questions from our previous post? Here they are again:

  • Does the issue occur for all users or only for some?
  • Does it occur for the same accounts on each run?

Also, please, specify the quantity of users in the group and provide a screenshot of the scheduled task including the full Activity Scope section. You can post the screenshot here or send it to us at support@adaxes.com.

Ethod not found

Related questions

0 votes
0 answers

Upgraded to the latest adaxes release yesterday and now this morning we are not able to access our self-service portal. We have rebooted our server and verified our adaxes service is successfully connected our domains. Any help would be appreciated, thank you!

asked Mar 14 by dhodgin (40 points)
0 votes
1 answer

Hi We're testing Adaxes 2023 and I've found a small issue when connecting to AzureADPreview in a powershell script where it comeas back with the following: "One or ... account with Azure permissions. How can this be done with the app registration? Thanks Matt

asked Jan 16, 2023 by chappers77 (2.0k points)
0 votes
1 answer

Hi Adax users are unable to load any exchange information when using the Adaxes front end. When trying to load exchange information or any exchange related task they get the ... tenants is set up and says last AD Connect time was 30 minutes ago. Thanks

asked Feb 16, 2021 by R_C (70 points)
0 votes
2 answers

Dear Support, can you advise if it's possible to connect to Adaxes from PowerBI? To have access (read) for the Adaxes custom attributes? Thank you!

asked May 13, 2020 by Dmytro.Rudyi (920 points)
0 votes
1 answer

Dear Support, can you please clarify - to call adaxes custom commands from "other" machines via following code - Adaxes PS module needs to be installed or ... -Object "Softerra.Adaxes.Adsi.AdmNamespace" $admService = $admNS.GetServiceDirectly("xxx") Thanks!

asked Oct 9, 2019 by Dmytro.Rudyi (920 points)
3,569 questions
3,259 answers
8,275 comments
547,962 users