diff --git a/Sync-Groups/Activate-Mfa.ps1 b/Sync-Groups/Activate-Mfa.ps1 new file mode 100644 index 0000000..d5bfbdc --- /dev/null +++ b/Sync-Groups/Activate-Mfa.ps1 @@ -0,0 +1,62 @@ +param( + [string]$DIR = (Get-Location) +) + +if ($DIR -match '.+?\\$') { + $DIR = $DIR.Substring(0, $DIR.Length-1) +} + +if (Test-Path -Path "$DIR\password.txt") { + $username = "sync-admin@bdsu-connect.de" + + $secPasswordText = Get-Content "$DIR\password.txt" + $secPassword = $secPasswordText | ConvertTo-SecureString + + $credentials = New-Object System.Management.Automation.PSCredential ($username, $secPassword) +} + +if (!$credentials) { + $credentials = Get-Credential +} + + +Connect-MsolService -Credential $credentials | Out-Null + +Connect-AzureAD -Credential $credentials | Out-Null + +# remove existing Exchange Remote Sessions if any +Get-PSSession | Where-Object {$_.ComputerName -eq "outlook.office365.com"} | Remove-PSSession + +$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credentials -Authentication Basic -AllowRedirection +Import-PSSession $session +if (!$?) { + throw "Failed to import Exchange Remote Session" +} + +# Groups which require a mfa authentication +$mfaGroups = @{ + + "Group name" = "Distribution Group Object-Id" + +} + +$mfaGroups.GetEnumerator() | ForEach-Object{ + $groupId = $_.Value + $groupMember = Get-DistributionGroupMember -Identity $groupId + + + # Activate mfa for groups + foreach ($distUser in $groupMember) { + + $adUser = Get-AzureADUser -ObjectId $distUser.ExternalDirectoryObjectId + + $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement + $st.RelyingParty = "*" + $st.State = "Enabled" + $sta = @($st) + Set-MsolUser -UserPrincipalName $adUser.UserPrincipalName -StrongAuthenticationRequirements $sta + Write-Host $adUser.displayname " 2 FA enabled" + + } + +} \ No newline at end of file diff --git a/Sync-Groups/Readme.md b/Sync-Groups/Readme.md index 36e3f71..251248d 100644 --- a/Sync-Groups/Readme.md +++ b/Sync-Groups/Readme.md @@ -12,14 +12,19 @@ ermöglicht das automatische Sicherstellen, dass in bestimmten (Teams-)Gruppen ausschließlich interne Accounts zugelassen sind. Dadurch werden unsere internen IT-Policies technisch erzwungen. -## Zusätzliche Abhängigkeit -Um dieses Skript ausführen zu können, muss erst eine weitere Abhängigkeit -durch einen entsprechenden PowerShell-Befehl installiert werden. +## Zusätzliche Abhängigkeiten +Um diesee Skripte ausführen zu können, müssen erst weitere Abhängigkeiten +durch einen entsprechende PowerShell-Befehle installiert werden. ### [Microsoft Teams Module](https://docs.microsoft.com/de-de/microsoftteams/teams-powershell-overview) ```pwsh Install-Module MicrosoftTeams ``` +### [Microsoft MSOnline Module](https://docs.microsoft.com/en-us/powershell/azure/active-directory/overview?view=azureadps-1.0&preserve_view=true) +```pwsh +Install-Module MSOnline +``` +**Achtung**: Microsoft empfiehlt selbst, das Modul nicht mehr zu benutzen, allerdings wurde bis heute keine Alternative vorstellt, mit welchem anderen Modul die MFA aktiviert werden kann. Sobald es eine Alternative gibt, wird das Skript angepasst. ## Konfiguration Das Skript wird über zwei Variablen am Anfang konfiguriert: diff --git a/Sync-Groups/Sync-Groups-Admins.ps1 b/Sync-Groups/Sync-Groups-Admins.ps1 index 47475dd..994cc4c 100644 --- a/Sync-Groups/Sync-Groups-Admins.ps1 +++ b/Sync-Groups/Sync-Groups-Admins.ps1 @@ -20,16 +20,7 @@ if (!$credentials) { } Connect-AzureAD -Credential $credentials | Out-Null - -# remove existing Exchange Remote Sessions if any -Get-PSSession | Where-Object {$_.ComputerName -eq "outlook.office365.com"} | Remove-PSSession - -$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credentials -Authentication Basic -AllowRedirection -Import-PSSession $session -if (!$?) { - throw "Failed to import Exchange Remote Session" -} - +Connect-ExchangeOnline -Credential $credentials -ShowBanner:$false | Out-Null # Alle Gruppen initalisieren diff --git a/Sync-Groups/Sync-Groups.ps1 b/Sync-Groups/Sync-Groups.ps1 index e829b64..354e2af 100644 --- a/Sync-Groups/Sync-Groups.ps1 +++ b/Sync-Groups/Sync-Groups.ps1 @@ -61,15 +61,7 @@ if (!$credentials) { Connect-AzureAD -Credential $credentials | Out-Null Connect-MicrosoftTeams -Credential $credentials |Out-Null - -# remove existing Exchange Remote Sessions if any -Get-PSSession | Where-Object {$_.ComputerName -eq "outlook.office365.com"} | Remove-PSSession - -$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credentials -Authentication Basic -AllowRedirection -Import-PSSession $session -if (!$?) { - throw "Failed to import Exchange Remote Session" -} +Connect-ExchangeOnline -Credential $credentials -ShowBanner:$false | Out-Null <## # a null-safe wrapper around Compare-Object