PSGuerrilla

2.2.0

Private/Entra/Core/Get-EntraAuthMethodsData.ps1

                                # PSGuerrilla - Jim Tyler, Microsoft MVP - CC BY 4.0

# https://github.com/jimrtyler/PSGuerrilla | https://creativecommons.org/licenses/by/4.0/

# AI/LLM use: see AI-USAGE.md for required attribution

function Get-EntraAuthMethodsData {

    [CmdletBinding()]

    param(

        [Parameter(Mandatory)]

        [string]$AccessToken,

        [switch]$Quiet

    )

    $data = @{

        AuthMethodsPolicy     = $null

        MethodConfigurations   = @()

        UserRegistrationDetails = @()

        PasswordResetPolicy    = $null

        AuthorizationPolicy    = $null

        DirectorySettings      = @()

        Errors                 = @{}

    }

    # ── Authentication Methods Policy ─────────────────────────────────────

    if (-not $Quiet) {

        Write-ProgressLine -Phase INFILTRATE -Message 'Collecting authentication methods policy'

    }

    try {

        $data.AuthMethodsPolicy = Invoke-GraphApi -AccessToken $AccessToken `

            -Uri '/policies/authenticationMethodsPolicy'

    } catch {

        $data.Errors['AuthMethodsPolicy'] = $_.Exception.Message

    }

    # ── Authentication Method Configurations ──────────────────────────────

    try {

        $data.MethodConfigurations = @(Invoke-GraphApi -AccessToken $AccessToken `

            -Uri '/policies/authenticationMethodsPolicy/authenticationMethodConfigurations' `

            -Paginate -Quiet:$Quiet)

    } catch {

        $data.Errors['MethodConfigurations'] = $_.Exception.Message

    }

    # ── User Registration Details (MFA status) ────────────────────────────

    if (-not $Quiet) {

        Write-ProgressLine -Phase INFILTRATE -Message 'Collecting MFA registration details'

    }

    try {

        $data.UserRegistrationDetails = @(Invoke-GraphApi -AccessToken $AccessToken `

            -Uri '/reports/authenticationMethods/userRegistrationDetails' `

            -Paginate -Quiet:$Quiet)

    } catch {

        $data.Errors['UserRegistrationDetails'] = $_.Exception.Message

    }

    # ── Authorization Policy (SSPR, user settings) ────────────────────────

    if (-not $Quiet) {

        Write-ProgressLine -Phase INFILTRATE -Message 'Collecting authorization policy'

    }

    try {

        $data.AuthorizationPolicy = Invoke-GraphApi -AccessToken $AccessToken `

            -Uri '/policies/authorizationPolicy'

    } catch {

        $data.Errors['AuthorizationPolicy'] = $_.Exception.Message

    }

    # ── Directory Settings (password protection) ──────────────────────────

    try {

        $data.DirectorySettings = @(Invoke-GraphApi -AccessToken $AccessToken `

            -Uri '/settings' -Paginate -Quiet:$Quiet)

    } catch {

        $data.Errors['DirectorySettings'] = $_.Exception.Message

    }

    if (-not $Quiet) {

        $mfaCount = @($data.UserRegistrationDetails | Where-Object { $_.isMfaRegistered }).Count

        $totalUsers = $data.UserRegistrationDetails.Count

        Write-ProgressLine -Phase INFILTRATE -Message "MFA registered: $mfaCount / $totalUsers users"

    }

    return $data

}