Check MFA-Status of Users (Powershell)

Finding information about MFA on a user in Azure Active Directory can be achieved in mutiple ways. Here, I will describe an easy way of finding MFA-information (registered, and by which method) by using Powershell, the cmdlet Get-Msoluser and its related property StrongAuthenticationMethods.

Prerequisite:
Install the powershell Module MSOnline:
Install-Module MSOnline
Then, connect to the service in Powershell by:
Connect-MsolService

When authenticated, query all users who have MFA activated using the following code:
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Now, let’s expand the property StrongAuthenticationMethods to get more information about MFA’s state, and which MFA-method the user has configured MFA with:
Get-MsolUser -All | Where {$_.UserPrincipalName} | Select UserPrincipalName, DisplayName, @{n=”Status”; e={$_.StrongAuthenticationRequirements.State}}, @{n=”Methods”; e={($_.StrongAuthenticationMethods).MethodType}}, @{n=”Chosen Method”; e={($_.StrongAuthenticationMethods).IsDefault}} | Out-GridView

Useful result when working with Microsoft 365 and MFA. As you see above, allowed methods in my tenant is PhoneAppOTP and PhoneAppNotification (Microsoft Authenticator). The chosen method for this users MFA is PhoneAppNotification. The reason why the Status-field is empty is because this user activated MFA via a Conditional Access Policy and the MFA is not enabled/Enforced via the old MFA-portal.

MDT – Client failed TFTP Download

Client fails to download TFTP, Event 4101 (MDT, WDS, DHCP and IP-Helper)

Operating systems affected: Windows Server 2016 (Monthly CU 2019/03 KB:
KB4489889) and Windows Server 2019 (Monthly CU 2019/04 KB4493509)

Solution: uncheck the setting “Enable Variable Window Extension” on the WDS-server.
Go to Windows Deployment Services > Servers > Right click the server name and then choose Properties. The setting is found under “TFTP” as can be seen below:

Install the Intune Powershell Module

The Intune Powershell Module is a great addition to the current
Device Management-portal when it comes to Intune management.
Note: An account with the role Global Administrator is required for the authentication and the consent of this module for your tenant.

1. Start Powershell as an administrator and install the Intune Powershell Module typing in the command: Install-Module -Name Microsoft.Graph.Intune
Confirm the install by clicking Yes to all.


2. Then we need to authenticate to the tenant of your choice.
Do this by typing in the command: Connect-MSGraph



3. Sign with your account, enter your credentials and then press Sign in

3. An account with the role Global administrator is required since the module needs to be delegated some rights on behalf of the organizaton. Check “Consent on behalf of your organization” and then press Accept.

5. When your UPN and your TenantID appears in Powershell, you’re successfully authenticated to the tenant and the module is now being operational.

6. To show all the commands the module has to offer, type in:
Get-Command -Module Microsoft.Graph.Intune

7. There are plenty of commands you can utilize from this module, as of right now the total count is 914.

To count all the commands which are currently included in the module, enter:
(Get-Command -Module Microsoft.Graph.Intune).count

Autopilot Resources

Autopilot on Reddit
https://www.reddit.com/r/autopilot

Get Hardware details
https://blogs.technet.microsoft.com/mniehaus/2017/12/12/gathering-windows-autopilot-hardware-details-from-existing-machines/

Get-WindowsAutoPilotinfo
https://www.powershellgallery.com/packages/get-windowsautopilotinfo/1.3
 
Microsoft Store for Business (AutoPilot-devices)
https://businessstore.microsoft.com/en-us/manage/devices/all

AutoPilot Hyrbid AzureADJoin
https://blogs.technet.microsoft.com/mniehaus/2018/11/22/trying-out-windows-utopilot-user-driven-hybrid-azure-ad-join/

Manage Intune Graph API/Intune Powershell Module rights
http://www.scconfigmgr.com/2017/08/03/create-an-azure-ad-app-registration-for-accessing-microsoft-intune-graph-api-with-powershell/

Autopilot Demo/Test
https://blogs.technet.microsoft.com/mniehaus/2018/12/20/evaluating-testing-demoing-modern-deployment-with-windows-autopilot/

Assigning Dynamic Profiles
https://blogs.technet.microsoft.com/mniehaus/2018/06/13/autopilot-profile-assignment-using-intune/

Assigning Profiles by Exception
https://blogs.technet.microsoft.com/mniehaus/2018/12/30/assigning-autopilot-profiles-by-exception/

Offline Deployment Profile
https://www.petervanderwoude.nl/post/offline-windows-autopilot-deployment-profile/

Configuring Windows 10 defaults via Windows Autopilot using an MSI
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Configuring-Windows-10-defaults-via-Windows-Autopilot-using-an/ba-p/457063

Hyper-V
Autopilot Virtual Machine
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm

New-AutoPilotVM
https://github.com/onpremcloudguy/AutoPilotENVScript


MDT
MDT Autopilot (no hardware hash)
https://osddeployment.dk/2018/11/04/how-to-deploy-a-autopilot-device-with-mdt-with-out-collection-the-hardware-hash/

Autopilot MDT
https://osddeployment.dk/2018/12/08/how-to-deploy-autopilot-device-fast-with-mdt/
CustomSettings
https://github.com/PerLarsen1975/Autopilot_MDT/blob/master/CustomSettings_Autopilot.ini

SCCM
Autopilot SCCM (Existing Devices)
https://www.imab.dk/autopilot-for-existing-devices-move-from-windows-7-to-modern-co-managed-windows-10-using-configmgr/

Speeding upp Autopilot for Existing Devices
https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/