Featured image of post Monitoring with PowerShell Chapter 3: Monitoring Modern Authentication
Automation Office365 Series: PowerShell Monitoring

Monitoring with PowerShell Chapter 3: Monitoring Modern Authentication

Modern Authentication is turned on by default for new tenants, but if you have legacy tenants or take over tenants from others MSP’s than sometimes you might have tenants that do not use Modern Authentication yet.

Monitoring and auto remediation is key in this when using Multi factor Authentication. We want the best user experience, so we must have it enabled to make sure users get a nice looking pop-up in outlook. also we want to avoid using App Passwords.

PowerShell Monitoring script:

This script only monitors the Modern Auth status, and does not auto-remediate.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

$creds = get-credential
Connect-MsolService -Credential $creds
$clients = Get-MsolPartnerContract -All

foreach ($client in $clients) {
 $ClientDomain = Get-MsolDomain -TenantId $client.TenantId | Where-Object {$_.IsInitial -eq $true}
 Write-host "Logging into portal for $($client.Name)"
 $DelegatedOrgURL = "https://ps.outlook.com/powershell-liveid?DelegatedOrg=" + $ClientDomain.Name
 $ExchangeOnlineSession = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
 Import-PSSession -Session $ExchangeOnlineSession -AllowClobber -DisableNameChecking

 $Oauth = Get-OrganizationConfig

 if($Oauth.OAuth2ClientProfileEnabled -eq $false){ $ModernAuthState += "$($ClientDomain.name) has modern auth disabled"}

 Remove-PSSession $ExchangeOnlineSession
}

if(!$ModernAuthState){ $ModernAuthState = "Healthy"}
PowerShell auto-remediation script
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

$creds = get-credential
Connect-MsolService -Credential $creds
$clients = Get-MsolPartnerContract -All

foreach ($client in $clients) {
 $ClientDomain = Get-MsolDomain -TenantId $client.TenantId | Where-Object {$_.IsInitial -eq $true}
 Write-host "Logging into portal for $($client.Name)"
 $DelegatedOrgURL = "https://ps.outlook.com/powershell-liveid?DelegatedOrg=" + $ClientDomain.Name
 $ExchangeOnlineSession = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
 Import-PSSession -Session $ExchangeOnlineSession -AllowClobber -DisableNameChecking

 $Oauth = Get-OrganizationConfig

 if($Oauth.OAuth2ClientProfileEnabled -eq $false){ Set-OrganizationConfig -OAuth2ClientProfileEnabled $true }

 Remove-PSSession $ExchangeOnlineSession
}

And that’s it! Hope it helps and as always, Happy PowerShelling.

All blogs are posted under AGPL3.0 unless stated otherwise
comments powered by Disqus
© 2012 - 2023 CyberDrain - Kelvin Tegelaar
Built with Hugo
Theme Stack designed by Jimmy