User Information
This section comprises a variety of functions designed to gather information about user accounts. These functions include retrieving all users’ creation dates and their last password change dates, the risky detections and users, as well as identifying all administrator users and the MFA status of all accounts.
Retrieve information for all users.
Retrieves the creation time and date of the last password change for all users.
Usage
Running the script without any parameters retrieves the creation time and date of the last password change for all users.
Get-Users
Retrieves the creation time and date of the last password change for all users and exports the output to a CSV file with UTF-32 encoding.
Get-Users -Encoding utf32
Retrieves the creation time and date of the last password change for all users and saves the output to the C:WindowsTemp folder.
Get-Users -OutputDir C:\Windows\Temp
Parameters
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: UserInfo
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the CSV/JSON output file.
Default: UTF8
- -Application (optional)
Application is the parameter specifying App-only access (access without a user) for authentication and authorization.
Default: Delegated access (access on behalf a user)
Output
The output will be saved to the ‘UserInfo’ directory within the ‘Output’ directory.
Permissions
Before utilizing this function, it is essential to ensure that the appropriate permissions have been granted. This function relies on the Microsoft Graph API and requires an application or user to authenticate with specific scopes that grant the necessary access levels.
Make sure to connect using at least one of the following permissions: “User.Read.All”, “Directory.AccessAsUser.All”, “Directory.Read.All”.
For instance, if you choose to use User.Read.All, your command would look like this: Connect-MgGraph -Scopes ‘User.Read.All’
Retrieve all Administrator directory roles.
Retrieves Administrator directory roles, including the identification of users associated with each specific role.
Usage
Running the script without any parameters retrieves Administrator directory roles, including the identification of users associated with each specific role.
Get-AdminUsers
Retrieves the creation time and date of the last password change for all users and exports the output to a CSV file with UTF-32 encoding.
Get-AdminUsers -Encoding utf32
Retrieves the creation time and date of the last password change for all users and saves the output to the C:WindowsTemp folder.
Get-AdminUsers -OutputDir C:\Windows\Temp
Parameters
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: UserInfo
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the CSV/JSON output file.
Default: UTF8
- -Application (optional)
Application is the parameter specifying App-only access (access without a user) for authentication and authorization.
Default: Delegated access (access on behalf a user)
Output
The output will be saved to the ‘UserInfo’ directory within the ‘Output’ directory.
Permissions
Before utilizing this function, it is essential to ensure that the appropriate permissions have been granted. This function relies on the Microsoft Graph API and requires an application or user to authenticate with specific scopes that grant the necessary access levels.
Make sure to connect using at least one of the following permissions: “User.Read.All”, “Directory.AccessAsUser.All”, “Directory.Read.All”.
For instance, if you choose to use User.Read.All, your command would look like this: Connect-MgGraph -Scopes ‘User.Read.All’
Retrieves MFA status
Retrieves the MFA status for all users.
Usage
Running the script without any parameters retrieves the MFA status for all users.
Get-MFA
Retrieves the MFA status for all users and exports the output to a CSV file with UTF-32 encoding.
Get-MFA -Encoding utf32
Parameters
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: UserInfo
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the CSV/JSON output file.
Default: UTF8
- -Application (optional)
Application is the parameter specifying App-only access (access without a user) for authentication and authorization.
Default: Delegated access (access on behalf a user)
Output
The output will be saved to the ‘UserInfo’ directory within the ‘Output’ directory.
Permissions
Before utilizing this function, it is essential to ensure that the appropriate permissions have been granted. This function relies on the Microsoft Graph API and requires an application or user to authenticate with specific scopes that grant the necessary access levels.
Make sure to connect using both of the following permissions: “UserAuthenticationMethod.Read.All”,’User.Read.All”.
Your command would look like this: Connect-MgGraph -Scopes ‘User.Read.All’,’UserAuthenticationMethod.Read.All’
Retrieves the risky users
Retrieves the risky users from the Entra ID Identity Protection, which marks an account as being at risk based on the pattern of activity for the account.
Usage
Running the script without any parameters retrieves all risky users.
Get-RiskyUsers
Parameters
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: UserInfo
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the CSV/JSON output file.
Default: UTF8
- -Application (optional)
Application is the parameter specifying App-only access (access without a user) for authentication and authorization.
Default: Delegated access (access on behalf a user)
Output
The output will be saved to the ‘UserInfo’ directory within the ‘Output’ directory.
Permissions
Before utilizing this function, it is essential to ensure that the appropriate permissions have been granted. This function relies on the Microsoft Graph API and requires an application or user to authenticate with specific scopes that grant the necessary access levels.
Make sure to connect using the following permission: “IdentityRiskyUser.Read.All”.
Your command would look like this: Connect-MgGraph -Scopes ‘IdentityRiskyUser.Read.All’
Retrieves the risky detections
Retrieves the risky detections from the Entra ID Identity Protection.
Usage
Running the script without any parameters retrieves all the risky detections.
Get-RiskyDetections
Parameters
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: UserInfo
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the CSV/JSON output file.
Default: UTF8
- -Application (optional)
Application is the parameter specifying App-only access (access without a user) for authentication and authorization.
Default: Delegated access (access on behalf a user)
Output
The output will be saved to the ‘UserInfo’ directory within the ‘Output’ directory.
Permissions
Before utilizing this function, it is essential to ensure that the appropriate permissions have been granted. This function relies on the Microsoft Graph API and requires an application or user to authenticate with specific scopes that grant the necessary access levels.
Make sure to connect using the following permission: “IdentityRiskEvent.Read.All”.
Your command would look like this: Connect-MgGraph -Scopes ‘IdentityRiskEvent.Read.All’