Modern Authentication is turned on by default for new tenants, but if you have legacy tenants or take over tenants from others MSP’s than sometimes you might have tenants that do not use Modern Authentication yet.
Monitoring and auto remediation is key in this when using Multi factor Authentication. We want the best user experience, so we must have it enabled to make sure users get a nice looking pop-up in outlook. also we want to avoid using App Passwords.
PowerShell Monitoring script:
This script only monitors the Modern Auth status, and does not auto-remediate.
$creds = get-credential
Connect-MsolService -Credential $creds
$clients = Get-MsolPartnerContract -All
foreach ($client in $clients) {
$ClientDomain = Get-MsolDomain -TenantId $client.TenantId | Where-Object {$_.IsInitial -eq $true}
Write-host "Logging into portal for $($client.Name)"
$DelegatedOrgURL = "https://ps.outlook.com/powershell-liveid?DelegatedOrg=" + $ClientDomain.Name
$ExchangeOnlineSession = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
Import-PSSession -Session $ExchangeOnlineSession -AllowClobber -DisableNameChecking
$Oauth = Get-OrganizationConfig
if($Oauth.OAuth2ClientProfileEnabled -eq $false){ $ModernAuthState += "$($ClientDomain.name) has modern auth disabled"}
Remove-PSSession $ExchangeOnlineSession
}
if(!$ModernAuthState){ $ModernAuthState = "Healthy"}
PowerShell auto-remediation script
$creds = get-credential
Connect-MsolService -Credential $creds
$clients = Get-MsolPartnerContract -All
foreach ($client in $clients) {
$ClientDomain = Get-MsolDomain -TenantId $client.TenantId | Where-Object {$_.IsInitial -eq $true}
Write-host "Logging into portal for $($client.Name)"
$DelegatedOrgURL = "https://ps.outlook.com/powershell-liveid?DelegatedOrg=" + $ClientDomain.Name
$ExchangeOnlineSession = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
Import-PSSession -Session $ExchangeOnlineSession -AllowClobber -DisableNameChecking
$Oauth = Get-OrganizationConfig
if($Oauth.OAuth2ClientProfileEnabled -eq $false){ Set-OrganizationConfig -OAuth2ClientProfileEnabled $true }
Remove-PSSession $ExchangeOnlineSession
}
And that’s it! Hope it helps and as always, Happy PowerShelling.
Kelvin Tegelaar
I am a Microsoft Certified System Engineer working as the CTO of the Managed Services Provider Lime Networks B.V. in the Netherlands. I mostly enjoy automating business processes by deploying PowerShell solutions, but just have a large passion for Microsoft Technology in general.
If you want to contact me directly you can find me on twitter here, or via email: Kelvin {at} limenetworks.nl
If you want to contact me directly you can find me on twitter here, or via email: Kelvin {at} limenetworks.nl
Latest posts by Kelvin Tegelaar (see all)
- Documenting with PowerShell: Increasing the Office365 Secure Score. - January 27, 2020
- Documenting with PowerShell: Downloading and storing the Office 365 Audit logs (With search!) - January 24, 2020
- Monitoring with PowerShell: Monitoring users that are blocked for login - January 20, 2020