Company logoHelp Center
Visit oncld.io

Verifying User Phone Numbers Against MFA Settings with Microsoft Graph PowerShell

2 min. readlast update: 09.26.2024

Verifying User Phone Numbers Against MFA Settings with Microsoft Graph PowerShell

Ensuring that user phone numbers are accurately configured in both their profile and multi-factor authentication (MFA) settings is critical for maintaining robust security in an organization. This article details how to use a PowerShell script leveraging the Microsoft Graph API to verify that users' primary phone numbers match their MFA phone numbers.

The script automates the process of comparing phone numbers, checking for any discrepancies that could potentially lead to authentication issues or security risks. This can be especially useful for IT administrators who need to audit and clean up user phone number configurations across the organization.

Here is the script:

# Install the Microsoft Graph PowerShell SDK (if not already installed)
if (-not (Get-Module -ListAvailable -Name "Microsoft.Graph")) {
Install-Module Microsoft.Graph -Scope CurrentUser -Force
}

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All"

# Function to get user phone number
function Get-UserPhoneNumber {
param (
[string]$userId
)

$user = Get-MgUser -UserId $userId
return $user.MobilePhone
}

# Function to get MFA phone numbers
function Get-MfaPhoneNumbers {
param (
[string]$userId
)

# Get all phone authentication methods for the user
$phoneMethods = Get-MgUserAuthenticationPhoneMethod -UserId $userId
return $phoneMethods
}

# Function to clean phone numbers (remove hyphens)
function Clean-PhoneNumber {
param (
[string]$phoneNumber
)

return $phoneNumber -replace '-', ''
}

# Function to check if at least 6 digits match
function Check-PhoneNumberMatch {
param (
[string]$primaryNumber,
[string[]]$mfaNumbers
)

$primaryDigits = ($primaryNumber -replace '\D', '') # Remove all non-digit characters
foreach ($mfaNumber in $mfaNumbers) {
$mfaDigits = ($mfaNumber -replace '\D', '') # Remove all non-digit characters

$matchCount = ($primaryDigits.ToCharArray() | Where-Object { $mfaDigits.Contains($_) }).Count
if ($matchCount -ge 6) {
return $true
}
}
return $false
}

# Get a list of users (excluding guest users)
$users = Get-MgUser -Filter "accountEnabled eq true and userType eq 'Member'"

# Iterate over each user and compare phone numbers
foreach ($user in $users) {
$userId = $user.Id
$userPhoneNumber = Get-UserPhoneNumber -userId $userId
$mfaPhoneNumbers = Get-MfaPhoneNumbers -userId $userId

if (-not [string]::IsNullOrWhiteSpace($userPhoneNumber)) {
$cleanUserPhoneNumber = Clean-PhoneNumber -phoneNumber $userPhoneNumber

$cleanMfaPhoneNumbers = @()
if ($mfaPhoneNumbers) {
foreach ($mfaPhone in $mfaPhoneNumbers) {
$cleanMfaPhoneNumbers += Clean-PhoneNumber -phoneNumber $mfaPhone.PhoneNumber
}

$isMatching = Check-PhoneNumberMatch -primaryNumber $cleanUserPhoneNumber -mfaNumbers $cleanMfaPhoneNumbers

Write-Output "User: $($user.DisplayName)"
Write-Output "User Phone Number: $cleanUserPhoneNumber"

if ($isMatching) {
Write-Output "At least 6 digits match with MFA phone numbers."
} else {
Write-Output "No match with MFA phone numbers."
}
} else {
Write-Output "No MFA phone numbers found."
}

Write-Output "-------------------------------------------"
} else {
Write-Output "User: $($user.DisplayName) - No primary phone number found."
}
}
Was this article helpful?