runbook-dynamicgroup-mfa

0.4

Azure Runbook - Dynamic Group - MFA State

This script is designed for an Azure Runbook to assign users to two Azure AD groups based on their MFA capability (capable / non-capable).
Before running the runbook, you need to set up an automation account with a managed identity.

The managed identity requires the following Graph Permissions:
  - User.Read.All
  - Group.
Azure Runbook - Dynamic Group - MFA State

This script is designed for an Azure Runbook to assign users to two Azure AD groups based on their MFA capability (capable / non-capable).
Before running the runbook, you need to set up an automation account with a managed identity.

The managed identity requires the following Graph Permissions:
  - User.Read.All
  - Group.ReadWrite.All
  - UserAuthenticationMethod.Read.All
  - Mail.Send


The script requires the following modules:
  - Microsoft.Graph.Authentication
  - Microsoft.Graph.Groups
  - Microsoft.Graph.Identity.SignIns
  - Microsoft.Graph.Users
  - Microsoft.Graph.Users.Actions

There are a few parameters which must be set for a job run:
  - $groupid_capable -> The Object-ID of a EntraID (AzureAD) group where MFA capable uers's should be assigned
  - $groupid_noncapable -> The Object-ID of a EntraID (AzureAD) group where MFA NON-capable uers's should be assigned
  - $mailMode -> This controls the mail behavior. Enter the mode you want without using '
      'always' - sends a mail on every run
      'changes' - sends a mail only if there were any changes
      'disabled' - never send a mail
  - $mailSender -> The mail-alias from which the mail will be send (can be a user-account or a shared-mailbox)
  - $mailRecipients -> The recipient(s) of the mail (internal or external). If you want more than one recipient, you can separate them with the character ; in between.


Show more

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Script -Name runbook-dynamicgroup-mfa

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

2023 Dominik Gilgen. All rights reserved.

Package Details

Author(s)

  • Dominik Gilgen

Tags

AzureAD EntraID MFA ConditionalAccess DynamicGroup Runbook

Functions

runbookSendMail

Dependencies

This script has no dependencies.

Release Notes

This script now supports email reporting, which requires the permission 'Mail.Send' and the Graph-Module Microsoft.Graph.Users.Actions.
Instead of variables it is now using parameters for the input.

FileList

Version History

Version Downloads Last updated
0.4 (current version) 503 10/12/2023
0.3 7 9/25/2023