search

soteria-security / 365Inspect

A PowerShell script that automates the security assessment of Microsoft 365 environments.
https://soteria.io/solutions/soteria-inspect/
MIT License
582 stars 109 forks source link

Inspector - AdminUsersWithNoMFAEnforced.ps1 - Returns Error #73

Closed patrickbartley closed 1 year ago

patrickbartley commented 1 year ago

Describe the bug AdminUsersWithNoMFAEnforced.ps1 returns the following error: WARNING: Error message: Cannot bind argument to parameter 'DirectoryRoleId' because it is an empty string.

To Reproduce Steps to reproduce the behavior:

  1. Run the script
  2. View HTML results
  3. Scroll to: 1: Administrative Users with No Multi-Factor Authentication Enforced
  4. See returned value points to log files
  5. Log files contain error information

Expected behavior A list of accounts with admin roles assigned that do not have MFA enabled.

Screenshots image image

Desktop

Additional context Error Log:

Error time: 08/11/2023 11:13:35 Error message: Cannot bind argument to parameter 'DirectoryRoleId' because it is an empty string. Error exception: System.Management.Automation.ParameterBindingValidationException: Cannot bind argument to parameter 'DirectoryRoleId' because it is an empty string. at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception) at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) Failed script: [REDACTED]\Security\Office365\Test\365Inspect-main\inspectors\AdminUsersWithNoMFAEnforced.ps1 Failed at line number: 29 Failed at line: $roleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $RID

Powershell command path: [REDACTED]\Security\Office365\Test\365Inspect-main\inspectors\AdminUsersWithNoMFAEnforced.ps1 Position message: [REDACTED]\Security\Office365\Test\365Inspect-main\inspectors\AdminUsersWithNoMFAEnforced.ps1 Stack trace: at Inspect-AdminUsersWithNoMFAEnforced, [REDACTED]\Security\Office365\Test\365Inspect-main\inspectors\AdminUsersWithNoMFAEnforced.ps1: line 29 at , [REDACTED]\Security\Office365\Test\365Inspect-main\inspectors\AdminUsersWithNoMFAEnforced.ps1: line 72 at , : line 1 at , [REDACTED]\Security\Office365\Test\365Inspect-main\365Inspect.ps1: line 375 at , : line 1

ThoughtContagion commented 1 year ago

Hi there!

Thank you for using our tool, we hope it provides you with valuable insight into your tenant!

We are unable to replicate this issue in any of our testing tenants. Would you be able to provide the version of the Graph module you are using? This can be most easily identified using the following command: Get-command Get-MgDirectoryRoleMember

Can you also make sure that there are no conflicting modules installed? Get-InstalledModule -Name Microsoft.Graph You generally only want one version installed (if you are using version 2.0+, Microsoft.Graph and Microsoft.Graph.Beta are perfectly fine to have installed together.)

patrickbartley commented 1 year ago

@.***

Freshly imaged machine. This is the first time interacting with MS365 through Powershell on this image. I will try running the script again and send you an update.

Removed identifiable information

clement75000 commented 1 year ago

Hello,

In my tenant, roles IDs seem to be different from the official documentation, not sure why yet :

https://learn.microsoft.com/fr-fr/azure/active-directory/roles/permissions-reference

I have these roles and IDs :

image

$adminRoles = @("9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d", "892c5842-a9a6-463a-8041-72aa08ca3cf6", "158c047a-c907-4556-b7ef-446551a6b5f7", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "d37c8bed-0711-4417-ba38-b4abe66ce4c2", "9f06204d-73c1-4d4c-880a-6edb90606fd8", "7be44c8a-adaf-4e2a-84d6-ab2649e08a13", "c430b396-e693-46cc-96f3-db01bf8bb62a", "729827e3-9c14-49f7-bb1b-9608f156bbb8", "62e90394-69f5-4237-9190-012177145e10", "69091246-20e8-4a56-aa4d-066075b2a7a8", "17315797-102d-40b4-93e0-432062caca18", "b0f54661-2d74-4c50-afa3-1ec803f12efe", "29232cdf-9323-42fd-ade2-1d097af3e4de", "194ae4cb-b126-40b2-bd5b-6091b380977d")

$adminRoles doesn't contain any of my tenant roles IDs, hence $RID get empty and Get-MgDirectoryRoleMember throw the error.

As I want to audit all roles, I'm using this for now :

image

ThoughtContagion commented 1 year ago

Interesting. Thank you for that explanation. We will change the way that the RID's are defined to compensate for this.

clement75000 commented 1 year ago

Ok I got it, I mixed ID and RoleTemplateId attributes :

image

But in this case if any of $adminRoles RoleTemplateId value doesn't exist in the tenant (Get-MgDirectoryRole returns only 5 roles in my test tenant) , the foreach loop stops and throw the error.

To quickly fix it I can either modify $adminRoles values with RoleTemplateId that exist in my tenant or not to use any role filter as previously showed.

Now I can go to sleep :-)

CountlessNumber commented 1 year ago

I also had this same error. I fixed it using the above solution by setting the Get-MgDirectoryRole to just return all roles.

After that fix I had another error - "Error message: The term 'Get-MgReportAuthenticationMethodUserRegistrationDetail' is not recognized as the name of a cmdlet"

I was able to fix this error by setting the script to use the beta endpoint - Select-MgProfile -Name "beta"

After that, it ran successfully and returned the correct list of admin accounts as expected.