Merge pull request KelvinTegelaar#1778 from criani/dev

Added null protection to ListMFAUsers.ps1 supporting fallback when calling non P1 tenants

Author: KelvinTegelaar

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Reports/Invoke-ListMFAUsers.ps1

@@ -73,8 +73,9 @@ function Invoke-ListMFAUsers {
     }
 
     return ([HttpResponseContext]@{
-            StatusCode = [HttpStatusCode]::OK
+            StatusCode = $StatusCode
             Body       = @($GraphRequest)
         })
 
+
 }

Modules/CIPPCore/Public/Get-CIPPMFAState.ps1

@@ -18,19 +18,31 @@ function Get-CIPPMFAState {
     }
 
     $Errors = [System.Collections.Generic.List[object]]::new()
+    $SecureDefaultsState = $null
+    $CASuccess = $false
+    $CAError = $null
+    $PolicyTable = @{}
+    $AllUserPolicies = @()
+    $UserGroupMembership = @{}
+    $UserExcludeGroupMembership = @{}
+    $GroupNameLookup = @{}
+    $MFAIndex = @{}
+
     try {
         $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $TenantFilter ).IsEnabled
     } catch {
         Write-Host "Secure Defaults not available: $($_.Exception.Message)"
         $Errors.Add(@{Step = 'SecureDefaults'; Message = $_.Exception.Message })
+        $SecureDefaultsState = $null
     }
     $CAState = [System.Collections.Generic.List[object]]::new()
 
     try {
-        $MFARegistration = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?$top=999&$select=userPrincipalName,isMfaRegistered,isMfaCapable,methodsRegistered" -tenantid $TenantFilter -asapp $true)
-        $MFAIndex = @{}
+        $MFARegistration = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&`$select=userPrincipalName,isMfaRegistered,isMfaCapable,methodsRegistered" -tenantid $TenantFilter -asapp $true)
         foreach ($MFAEntry in $MFARegistration) {
-            $MFAIndex[$MFAEntry.userPrincipalName] = $MFAEntry
+            if ($null -ne $MFAEntry.userPrincipalName) {
+                $MFAIndex[$MFAEntry.userPrincipalName] = $MFAEntry
+            }
         }
     } catch {
         $CAState.Add('Not Licensed for Conditional Access') | Out-Null
@@ -39,12 +51,11 @@ function Get-CIPPMFAState {
             $Errors.Add(@{Step = 'MFARegistration'; Message = $_.Exception.Message })
         }
         Write-Host "User registration details not available: $($_.Exception.Message)"
-        $MFAIndex = @{}
     }
 
     if ($null -ne $MFARegistration) {
-        $CASuccess = $true
         try {
+            $CASuccess = $true
             $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies?$top=999&$filter=state eq ''enabled''&$select=id,displayName,state,grantControls,conditions' -tenantid $TenantFilter -ErrorAction Stop -AsApp $true)
             $PolicyTable = @{}
             $AllUserPolicies = [System.Collections.Generic.List[object]]::new()
@@ -315,11 +326,7 @@ function Get-CIPPMFAState {
 
         $PerUser = $_.PerUserMFAState
 
-        $MFARegUser = if ($null -eq ($MFAIndex[$_.UserPrincipalName])) {
-            $false
-        } else {
-            $MFAIndex[$_.UserPrincipalName]
-        }
+        $MFARegUser = $MFAIndex[$_.UserPrincipalName]
 
         [PSCustomObject]@{
             Tenant          = $TenantFilter
@@ -329,9 +336,9 @@ function Get-CIPPMFAState {
             AccountEnabled  = $_.accountEnabled
             PerUser         = $PerUser
             isLicensed      = $_.isLicensed
-            MFARegistration = if ($MFARegUser) { $MFARegUser.isMfaRegistered } else { $false }
-            MFACapable      = if ($MFARegUser) { $MFARegUser.isMfaCapable } else { $false }
-            MFAMethods      = if ($MFARegUser) { $MFARegUser.methodsRegistered } else { @() }
+            MFARegistration = if ($null -ne $MFARegUser) { [bool]$MFARegUser.isMfaRegistered } else { $null }
+            MFACapable      = if ($null -ne $MFARegUser) { [bool]$MFARegUser.isMfaCapable } else { $null }
+            MFAMethods      = if ($null -ne $MFARegUser) { @($MFARegUser.methodsRegistered) } else { @() }
             CoveredByCA     = $CoveredByCA
             CAPolicies      = $UserCAState
             CoveredBySD     = $SecureDefaultsState