💼 Management Samenvatting
Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
✓ Windows
Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.
PowerShell Modules Vereist
Primary API: Graph
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Dit regelen configureert alle gebruikers mfa capable via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.
Vereisten
m365
Implementatie
Gebruik PowerShell-script all-users-mfa-capable.ps1 (functie Invoke-Monitoring) – Monitoren.
monitoring
Gebruik PowerShell-script all-users-mfa-capable.ps1 (functie Invoke-Monitoring) – Controleren.
Remediatie
Gebruik PowerShell-script all-users-mfa-capable.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance en Auditing
Beleid documentatie
Compliance & Frameworks
- CIS M365: Control 18.9.19.2 (L1) - CIS Security Benchmark aanbevelingen
- BIO: 16.01 - BIO Baseline Informatiebeveiliging Overheid - 16.01 - Gebeurtenissen logging en audittrails
- ISO 27001:2022: A.12.4.1 - ISO 27001:2022 - Gebeurtenissen logging en audittrails
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
All Users MFA Capable
.DESCRIPTION
Ensures all users have registered for MFA (have MFA authentication methods configured).
Users should have at least one MFA method registered before MFA is enforced.
.NOTES
Filename: all-users-mfa-capable.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\all-users-mfa-capable.ps1 -Monitoring
Check how many users have MFA methods registered
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory = $false)]
[switch]$Monitoring,
[Parameter(Mandatory = $false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "All Users MFA Capable" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks MFA registration status for all users
#>
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
All Users MFA Capable
.DESCRIPTION
Ensures all users have registered for MFA (have MFA authentication methods configured).
Users should have at least one MFA method registered before MFA is enforced.
.NOTES
Filename: all-users-mfa-capable.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\all-users-mfa-capable.ps1 -Monitoring
Check how many users have MFA methods registered
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "All Users MFA Capable" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks MFA registration status for all users
#>
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All","User.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Getting all users..." -ForegroundColor Gray
$users = Get-MgUser -All -Property Id,UserPrincipalName,UserType -ErrorAction Stop |
Where-Object { $_.UserType -eq 'Member' }
Write-Host "Checking MFA registration for $($users.Count) users..." -ForegroundColor Cyan
Write-Host "(This may take a while for large tenants)`n" -ForegroundColor Yellow
$result = @{
totalUsers = $users.Count
mfaCapable = 0
notCapable = 0
notCapableList = @()
}
$processed = 0
foreach ($user in $users) {
$processed++
if ($processed % 100 -eq 0) {
Write-Host " Processed $processed / $($users.Count) users..." -ForegroundColor Gray
}
try {
$authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id -ErrorAction SilentlyContinue
# Check if user has MFA methods (not just password)
$mfaMethods = $authMethods | Where-Object {
$_.'@odata.type' -ne '#microsoft.graph.passwordAuthenticationMethod'
}
if ($mfaMethods.Count -gt 0) {
$result.mfaCapable++
}
else {
$result.notCapable++
$result.notCapableList += $user.UserPrincipalName
}
}
catch {
# Skip users we can't check
}
}
$percentageCapable = [math]::Round(($result.mfaCapable / $result.totalUsers) * 100, 1)
Write-Host "`n Results:" -ForegroundColor Cyan
Write-Host " Total users: $($result.totalUsers)" -ForegroundColor White
Write-Host " MFA Capable: $($result.mfaCapable) ($percentageCapable % )" -ForegroundColor $(
if ($percentageCapable -ge 95) { "Green" } elseif ($percentageCapable -ge 80) { "Yellow" } else { "Red" }
)
Write-Host " NOT MFA Capable: $($result.notCapable)" -ForegroundColor $(
if ($result.notCapable -eq 0) { "Green" } else { "Red" }
)
if ($result.notCapable -gt 0 -and $result.notCapable -le 20) {
Write-Host "`n Users without MFA methods:" -ForegroundColor Yellow
$result.notCapableList | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
if ($percentageCapable -ge 95) {
Write-Host "`n[OK] COMPLIANT - 95%+ users MFA capable" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ TARGET NOT MET - Aim for 95%+ MFA registration" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for MFA registration campaign
#>
try {
Write-Host "⚠️ MFA registration requires user action" -ForegroundColor Yellow
Write-Host "`nOptions to increase MFA registration:" -ForegroundColor Cyan
Write-Host "`n1. Enable MFA Registration Campaign:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > Security" -ForegroundColor Gray
Write-Host " > Authentication methods > Registration campaign" -ForegroundColor Gray
Write-Host " • Prompt users to set up Microsoft Authenticator" -ForegroundColor Gray
Write-Host " • Can be enforced or skippable" -ForegroundColor Gray
Write-Host "`n2. Use Conditional Access:" -ForegroundColor Green
Write-Host " Create CA policy requiring MFA" -ForegroundColor Gray
Write-Host " Users will be forced to register when they sign in" -ForegroundColor Gray
Write-Host "`n3. Combined Registration:" -ForegroundColor Green
Write-Host " Azure AD > Security > Authentication methods" -ForegroundColor Gray
Write-Host " Enable combined MFA and SSPR registration" -ForegroundColor Gray
Write-Host "`n4. User Communication:" -ForegroundColor Green
Write-Host " • Send email instructing users to visit:" -ForegroundColor Gray
Write-Host " https://aka.ms/mfasetup" -ForegroundColor Cyan
Write-Host " • Or: https://mysignins.microsoft.com/security-info" -ForegroundColor Cyan
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " Combine registration campaign + CA policy for 100% coverage" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Usage:" -ForegroundColor Yellow
Write-Host " -Monitoring Check MFA registration status" -ForegroundColor Gray
Write-Host " -Remediation Show guidance for MFA registration" -ForegroundColor Gray
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All", "User.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Getting all users..." -ForegroundColor Gray
$users = Get-MgUser -All -Property Id, UserPrincipalName, UserType -ErrorAction Stop |
Where-Object { $_.UserType -eq 'Member' }
Write-Host "Checking MFA registration for $($users.Count) users..." -ForegroundColor Cyan
Write-Host "(This may take a while for large tenants)`n" -ForegroundColor Yellow
$result = @{
totalUsers = $users.Count
mfaCapable = 0
notCapable = 0
notCapableList = @()
}
$processed = 0
foreach ($user in $users) {
$processed++
if ($processed % 100 -eq 0) {
Write-Host " Processed $processed / $($users.Count) users..." -ForegroundColor Gray
}
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
All Users MFA Capable
.DESCRIPTION
Ensures all users have registered for MFA (have MFA authentication methods configured).
Users should have at least one MFA method registered before MFA is enforced.
.NOTES
Filename: all-users-mfa-capable.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\all-users-mfa-capable.ps1 -Monitoring
Check how many users have MFA methods registered
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "All Users MFA Capable" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks MFA registration status for all users
#>
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All","User.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Getting all users..." -ForegroundColor Gray
$users = Get-MgUser -All -Property Id,UserPrincipalName,UserType -ErrorAction Stop |
Where-Object { $_.UserType -eq 'Member' }
Write-Host "Checking MFA registration for $($users.Count) users..." -ForegroundColor Cyan
Write-Host "(This may take a while for large tenants)`n" -ForegroundColor Yellow
$result = @{
totalUsers = $users.Count
mfaCapable = 0
notCapable = 0
notCapableList = @()
}
$processed = 0
foreach ($user in $users) {
$processed++
if ($processed % 100 -eq 0) {
Write-Host " Processed $processed / $($users.Count) users..." -ForegroundColor Gray
}
try {
$authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id -ErrorAction SilentlyContinue
# Check if user has MFA methods (not just password)
$mfaMethods = $authMethods | Where-Object {
$_.'@odata.type' -ne '#microsoft.graph.passwordAuthenticationMethod'
}
if ($mfaMethods.Count -gt 0) {
$result.mfaCapable++
}
else {
$result.notCapable++
$result.notCapableList += $user.UserPrincipalName
}
}
catch {
# Skip users we can't check
}
}
$percentageCapable = [math]::Round(($result.mfaCapable / $result.totalUsers) * 100, 1)
Write-Host "`n Results:" -ForegroundColor Cyan
Write-Host " Total users: $($result.totalUsers)" -ForegroundColor White
Write-Host " MFA Capable: $($result.mfaCapable) ($percentageCapable % )" -ForegroundColor $(
if ($percentageCapable -ge 95) { "Green" } elseif ($percentageCapable -ge 80) { "Yellow" } else { "Red" }
)
Write-Host " NOT MFA Capable: $($result.notCapable)" -ForegroundColor $(
if ($result.notCapable -eq 0) { "Green" } else { "Red" }
)
if ($result.notCapable -gt 0 -and $result.notCapable -le 20) {
Write-Host "`n Users without MFA methods:" -ForegroundColor Yellow
$result.notCapableList | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
if ($percentageCapable -ge 95) {
Write-Host "`n[OK] COMPLIANT - 95%+ users MFA capable" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ TARGET NOT MET - Aim for 95%+ MFA registration" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for MFA registration campaign
#>
try {
Write-Host "⚠️ MFA registration requires user action" -ForegroundColor Yellow
Write-Host "`nOptions to increase MFA registration:" -ForegroundColor Cyan
Write-Host "`n1. Enable MFA Registration Campaign:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > Security" -ForegroundColor Gray
Write-Host " > Authentication methods > Registration campaign" -ForegroundColor Gray
Write-Host " • Prompt users to set up Microsoft Authenticator" -ForegroundColor Gray
Write-Host " • Can be enforced or skippable" -ForegroundColor Gray
Write-Host "`n2. Use Conditional Access:" -ForegroundColor Green
Write-Host " Create CA policy requiring MFA" -ForegroundColor Gray
Write-Host " Users will be forced to register when they sign in" -ForegroundColor Gray
Write-Host "`n3. Combined Registration:" -ForegroundColor Green
Write-Host " Azure AD > Security > Authentication methods" -ForegroundColor Gray
Write-Host " Enable combined MFA and SSPR registration" -ForegroundColor Gray
Write-Host "`n4. User Communication:" -ForegroundColor Green
Write-Host " • Send email instructing users to visit:" -ForegroundColor Gray
Write-Host " https://aka.ms/mfasetup" -ForegroundColor Cyan
Write-Host " • Or: https://mysignins.microsoft.com/security-info" -ForegroundColor Cyan
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " Combine registration campaign + CA policy for 100% coverage" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Usage:" -ForegroundColor Yellow
Write-Host " -Monitoring Check MFA registration status" -ForegroundColor Gray
Write-Host " -Remediation Show guidance for MFA registration" -ForegroundColor Gray
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
$authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id -ErrorAction SilentlyContinue
# Check if user has MFA methods (not just password)
$mfaMethods = $authMethods | Where-Object {
$_.'@odata.type' -ne '#microsoft.graph.passwordAuthenticationMethod'
}
if ($mfaMethods.Count -gt 0) {
$result.mfaCapable++
}
else {
$result.notCapable++
$result.notCapableList += $user.UserPrincipalName
}
}
catch {
# Skip users we can't check
}
}
$percentageCapable = [math]::Round(($result.mfaCapable / $result.totalUsers) * 100, 1)
Write-Host "`n Results:" -ForegroundColor Cyan
Write-Host " Total users: $($result.totalUsers)" -ForegroundColor White
Write-Host " MFA Capable: $($result.mfaCapable) ($percentageCapable%)" -ForegroundColor $(
if ($percentageCapable -ge 95) { "Green" } elseif ($percentageCapable -ge 80) { "Yellow" } else { "Red" }
)
Write-Host " NOT MFA Capable: $($result.notCapable)" -ForegroundColor $(
if ($result.notCapable -eq 0) { "Green" } else { "Red" }
)
if ($result.notCapable -gt 0 -and $result.notCapable -le 20) {
Write-Host "`n Users without MFA methods:" -ForegroundColor Yellow
$result.notCapableList | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
if ($percentageCapable -ge 95) {
Write-Host "`n[OK] COMPLIANT - 95%+ users MFA capable" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ TARGET NOT MET - Aim for 95%+ MFA registration" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for MFA registration campaign
#>
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
All Users MFA Capable
.DESCRIPTION
Ensures all users have registered for MFA (have MFA authentication methods configured).
Users should have at least one MFA method registered before MFA is enforced.
.NOTES
Filename: all-users-mfa-capable.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\all-users-mfa-capable.ps1 -Monitoring
Check how many users have MFA methods registered
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "All Users MFA Capable" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks MFA registration status for all users
#>
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All","User.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Getting all users..." -ForegroundColor Gray
$users = Get-MgUser -All -Property Id,UserPrincipalName,UserType -ErrorAction Stop |
Where-Object { $_.UserType -eq 'Member' }
Write-Host "Checking MFA registration for $($users.Count) users..." -ForegroundColor Cyan
Write-Host "(This may take a while for large tenants)`n" -ForegroundColor Yellow
$result = @{
totalUsers = $users.Count
mfaCapable = 0
notCapable = 0
notCapableList = @()
}
$processed = 0
foreach ($user in $users) {
$processed++
if ($processed % 100 -eq 0) {
Write-Host " Processed $processed / $($users.Count) users..." -ForegroundColor Gray
}
try {
$authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id -ErrorAction SilentlyContinue
# Check if user has MFA methods (not just password)
$mfaMethods = $authMethods | Where-Object {
$_.'@odata.type' -ne '#microsoft.graph.passwordAuthenticationMethod'
}
if ($mfaMethods.Count -gt 0) {
$result.mfaCapable++
}
else {
$result.notCapable++
$result.notCapableList += $user.UserPrincipalName
}
}
catch {
# Skip users we can't check
}
}
$percentageCapable = [math]::Round(($result.mfaCapable / $result.totalUsers) * 100, 1)
Write-Host "`n Results:" -ForegroundColor Cyan
Write-Host " Total users: $($result.totalUsers)" -ForegroundColor White
Write-Host " MFA Capable: $($result.mfaCapable) ($percentageCapable % )" -ForegroundColor $(
if ($percentageCapable -ge 95) { "Green" } elseif ($percentageCapable -ge 80) { "Yellow" } else { "Red" }
)
Write-Host " NOT MFA Capable: $($result.notCapable)" -ForegroundColor $(
if ($result.notCapable -eq 0) { "Green" } else { "Red" }
)
if ($result.notCapable -gt 0 -and $result.notCapable -le 20) {
Write-Host "`n Users without MFA methods:" -ForegroundColor Yellow
$result.notCapableList | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
if ($percentageCapable -ge 95) {
Write-Host "`n[OK] COMPLIANT - 95%+ users MFA capable" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ TARGET NOT MET - Aim for 95%+ MFA registration" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for MFA registration campaign
#>
try {
Write-Host "⚠️ MFA registration requires user action" -ForegroundColor Yellow
Write-Host "`nOptions to increase MFA registration:" -ForegroundColor Cyan
Write-Host "`n1. Enable MFA Registration Campaign:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > Security" -ForegroundColor Gray
Write-Host " > Authentication methods > Registration campaign" -ForegroundColor Gray
Write-Host " • Prompt users to set up Microsoft Authenticator" -ForegroundColor Gray
Write-Host " • Can be enforced or skippable" -ForegroundColor Gray
Write-Host "`n2. Use Conditional Access:" -ForegroundColor Green
Write-Host " Create CA policy requiring MFA" -ForegroundColor Gray
Write-Host " Users will be forced to register when they sign in" -ForegroundColor Gray
Write-Host "`n3. Combined Registration:" -ForegroundColor Green
Write-Host " Azure AD > Security > Authentication methods" -ForegroundColor Gray
Write-Host " Enable combined MFA and SSPR registration" -ForegroundColor Gray
Write-Host "`n4. User Communication:" -ForegroundColor Green
Write-Host " • Send email instructing users to visit:" -ForegroundColor Gray
Write-Host " https://aka.ms/mfasetup" -ForegroundColor Cyan
Write-Host " • Or: https://mysignins.microsoft.com/security-info" -ForegroundColor Cyan
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " Combine registration campaign + CA policy for 100% coverage" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Usage:" -ForegroundColor Yellow
Write-Host " -Monitoring Check MFA registration status" -ForegroundColor Gray
Write-Host " -Remediation Show guidance for MFA registration" -ForegroundColor Gray
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "⚠️ MFA registration requires user action" -ForegroundColor Yellow
Write-Host "`nOptions to increase MFA registration:" -ForegroundColor Cyan
Write-Host "`n1. Enable MFA Registration Campaign:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > Security" -ForegroundColor Gray
Write-Host " > Authentication methods > Registration campaign" -ForegroundColor Gray
Write-Host " • Prompt users to set up Microsoft Authenticator" -ForegroundColor Gray
Write-Host " • Can be enforced or skippable" -ForegroundColor Gray
Write-Host "`n2. Use Conditional Access:" -ForegroundColor Green
Write-Host " Create CA policy requiring MFA" -ForegroundColor Gray
Write-Host " Users will be forced to register when they sign in" -ForegroundColor Gray
Write-Host "`n3. Combined Registration:" -ForegroundColor Green
Write-Host " Azure AD > Security > Authentication methods" -ForegroundColor Gray
Write-Host " Enable combined MFA and SSPR registration" -ForegroundColor Gray
Write-Host "`n4. User Communication:" -ForegroundColor Green
Write-Host " • Send email instructing users to visit:" -ForegroundColor Gray
Write-Host " https://aka.ms/mfasetup" -ForegroundColor Cyan
Write-Host " • Or: https://mysignins.microsoft.com/security-info" -ForegroundColor Cyan
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " Combine registration campaign + CA policy for 100% coverage" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
All Users MFA Capable
.DESCRIPTION
Ensures all users have registered for MFA (have MFA authentication methods configured).
Users should have at least one MFA method registered before MFA is enforced.
.NOTES
Filename: all-users-mfa-capable.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\all-users-mfa-capable.ps1 -Monitoring
Check how many users have MFA methods registered
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "All Users MFA Capable" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks MFA registration status for all users
#>
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All","User.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Getting all users..." -ForegroundColor Gray
$users = Get-MgUser -All -Property Id,UserPrincipalName,UserType -ErrorAction Stop |
Where-Object { $_.UserType -eq 'Member' }
Write-Host "Checking MFA registration for $($users.Count) users..." -ForegroundColor Cyan
Write-Host "(This may take a while for large tenants)`n" -ForegroundColor Yellow
$result = @{
totalUsers = $users.Count
mfaCapable = 0
notCapable = 0
notCapableList = @()
}
$processed = 0
foreach ($user in $users) {
$processed++
if ($processed % 100 -eq 0) {
Write-Host " Processed $processed / $($users.Count) users..." -ForegroundColor Gray
}
try {
$authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id -ErrorAction SilentlyContinue
# Check if user has MFA methods (not just password)
$mfaMethods = $authMethods | Where-Object {
$_.'@odata.type' -ne '#microsoft.graph.passwordAuthenticationMethod'
}
if ($mfaMethods.Count -gt 0) {
$result.mfaCapable++
}
else {
$result.notCapable++
$result.notCapableList += $user.UserPrincipalName
}
}
catch {
# Skip users we can't check
}
}
$percentageCapable = [math]::Round(($result.mfaCapable / $result.totalUsers) * 100, 1)
Write-Host "`n Results:" -ForegroundColor Cyan
Write-Host " Total users: $($result.totalUsers)" -ForegroundColor White
Write-Host " MFA Capable: $($result.mfaCapable) ($percentageCapable % )" -ForegroundColor $(
if ($percentageCapable -ge 95) { "Green" } elseif ($percentageCapable -ge 80) { "Yellow" } else { "Red" }
)
Write-Host " NOT MFA Capable: $($result.notCapable)" -ForegroundColor $(
if ($result.notCapable -eq 0) { "Green" } else { "Red" }
)
if ($result.notCapable -gt 0 -and $result.notCapable -le 20) {
Write-Host "`n Users without MFA methods:" -ForegroundColor Yellow
$result.notCapableList | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
if ($percentageCapable -ge 95) {
Write-Host "`n[OK] COMPLIANT - 95%+ users MFA capable" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ TARGET NOT MET - Aim for 95%+ MFA registration" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for MFA registration campaign
#>
try {
Write-Host "⚠️ MFA registration requires user action" -ForegroundColor Yellow
Write-Host "`nOptions to increase MFA registration:" -ForegroundColor Cyan
Write-Host "`n1. Enable MFA Registration Campaign:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > Security" -ForegroundColor Gray
Write-Host " > Authentication methods > Registration campaign" -ForegroundColor Gray
Write-Host " • Prompt users to set up Microsoft Authenticator" -ForegroundColor Gray
Write-Host " • Can be enforced or skippable" -ForegroundColor Gray
Write-Host "`n2. Use Conditional Access:" -ForegroundColor Green
Write-Host " Create CA policy requiring MFA" -ForegroundColor Gray
Write-Host " Users will be forced to register when they sign in" -ForegroundColor Gray
Write-Host "`n3. Combined Registration:" -ForegroundColor Green
Write-Host " Azure AD > Security > Authentication methods" -ForegroundColor Gray
Write-Host " Enable combined MFA and SSPR registration" -ForegroundColor Gray
Write-Host "`n4. User Communication:" -ForegroundColor Green
Write-Host " • Send email instructing users to visit:" -ForegroundColor Gray
Write-Host " https://aka.ms/mfasetup" -ForegroundColor Cyan
Write-Host " • Or: https://mysignins.microsoft.com/security-info" -ForegroundColor Cyan
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " Combine registration campaign + CA policy for 100% coverage" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Usage:" -ForegroundColor Yellow
Write-Host " -Monitoring Check MFA registration status" -ForegroundColor Gray
Write-Host " -Remediation Show guidance for MFA registration" -ForegroundColor Gray
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Usage:" -ForegroundColor Yellow
Write-Host " -Monitoring Check MFA registration status" -ForegroundColor Gray
Write-Host " -Remediation Show guidance for MFA registration" -ForegroundColor Gray
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
Risico zonder implementatie
Risico zonder implementatie
High: No auth tracking.
Management Samenvatting
Schakel in audit logging.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE