Get-AdminInfo.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
function Get-AdminInfo
{
  <#
    .SYNOPSIS
    Gets information on the administrative users on your tenant, to make sure you comply with Microsoft best practices.
    .DESCRIPTION
     
    .EXAMPLE
    Get-AdminInfo
    #>

if (!(get-module msonline)) {open-msolconnection}
#region Get data
$AdminRole = Get-MsolRole | where {$_.name -like 'Company Administrator'}
$GlobalAdmins = Get-MsolRoleMember -RoleObjectId $adminrole.ObjectId
$GACount = ($GlobalAdmins).count
#endregion

#region Get number of GA's
if ($GACount -eq 1) {Write-Output 'Only one global admin present. As best practice, you should use at least 2 global admin accounts.'} `
elseif ($GACount -gt 5) {Write-Output "There are $GACount global admin accounts. As best practice, you should not have more than 5 global admin accounts."} `
else {Write-Output "There are $GACount global admin accounts. This complies with best practices."}
#endregion

#region Check MFA
Write-Output "You should check the MFA status of all global admins using the Office 365-portal. This check will be included in this script in the near future."
#endregion

#region Non-global Admins
Write-Output "You should use the portal to check if non-global admin roles are used. As best practice, you should use these roles to minimize risks."
Write-Output "You should check if the users holding non-global admin roles should still be having these priviliges."
Write-Output "These checks will be included in this script in the near future."
#endregion
}