Created
April 27, 2021 12:50
-
-
Save piaudonn/98a6b46f6b01ad6f07bc8b54998a3194 to your computer and use it in GitHub Desktop.
Hello
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Information from the Azure AD App Registration blade | |
| # Required API permissions: | |
| # - Device.Read.All | |
| # - User.Read.All | |
| $ClientID = "xxx" | |
| $ClientSecret = "xxx" | |
| $TenantId = "xxx" | |
| # Get an access token for thr GraphAPI | |
| $b = @{ | |
| grant_type = "client_credentials" | |
| client_id = $ClientID | |
| client_secret = $ClientSecret | |
| scope = https://graph.microsoft.com/.default | |
| } | |
| $t = Invoke-RestMethod -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token -Method Post -Body $b | |
| # Get all the deviceKeys and store them in $r | |
| $h = @{ | |
| Authorization = "Bearer $($t.access_token)" | |
| } | |
| $d = Invoke-RestMethod -Uri https://graph.microsoft.com/beta/users/?`$select=id,userPrincipalName,deviceKeys -Method Get -Headers $h | |
| $r = @() | |
| $r += $d.value | |
| while ( $d."@odata.nextLink" -ne $null) # Required in case there is more that one page of results | |
| { | |
| $r.Count | |
| $d = Invoke-RestMethod -Uri $d."@odata.nextLink" -Method Get -Headers $h | |
| $r += $d.value | |
| } | |
| # Store devices into a hashtable to keep track of them and avoid duplicate queries | |
| $global:d = @{} | |
| function LookupDevice( $deviceid ) | |
| { | |
| if ( $global:d.keys -contains $deviceid ) # If we already looked this device up, we just return the value instead of quering again the GraphAPI | |
| { | |
| $return = @{ | |
| Name = $global:d[$deviceid].Name | |
| OS = $global:d[$deviceid].OS | |
| Version = $global:d[$deviceid].Version | |
| } | |
| } else { # Else we query the GraphAPI and store the results into the $golbal:d hashtable | |
| $q = Invoke-RestMethod -Uri https://graph.microsoft.com/v1.0/devices?`$filter=deviceId eq '$deviceid' -Method Get -Headers $h | |
| $global:d += @{ | |
| $deviceid = [PSCustomObject] @{ | |
| Name = $q.value.displayName | |
| OS = $q.value.operatingSystem | |
| Version = $q.value.operatingSystemVersion | |
| } | |
| } | |
| $return = $global:d[$deviceid] | |
| } | |
| return $return | |
| } | |
| # Store all users with keys in $u | |
| $u = @() | |
| foreach ($user in $r) { | |
| if ( $user.deviceKeys.count -eq 0 ) { # We skip the user if there are no keys | |
| continue | |
| } | |
| foreach ($key in $user.deviceKeys) # Else we query the keys | |
| { | |
| if ( $key.keyType -ne "NGC" ) { # We skip the key if that's not WHFB (AKA NGC) | |
| continue | |
| } | |
| $u += [PSCustomObject] @{ | |
| UserId = $user.id | |
| UserPrincipalName = $user.userPrincipalName | |
| DeviceId = $key.deviceId | |
| DeviceName = (LookupDevice $key.deviceId).Name | |
| DeviceOS = (LookupDevice $key.deviceId).OS | |
| DeviceOSVersion = (LookupDevice $key.deviceId).Version | |
| } | |
| } | |
| } | |
| $u | Out-GridView -Title "List of users with Windows Hello for Business keys" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment