fix: MFA alerts and BPA report for mfa reg

JohnDuprey · JohnDuprey · commit 90b32323432e · 2025-03-11T11:01:43.000-04:00
diff --git a/Config/CyberEssentials.BPATemplate.json b/Config/CyberEssentials.BPATemplate.json
@@ -92,7 +92,10 @@
         "isMFARegistered",
         "defaultMFAMethod"
       ],
-      "URL": "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails"
+      "URL": "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails",
+      "Parameters": {
+        "asApp": "True"
+      }
     }
   ]
 }
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1
@@ -18,7 +18,7 @@ function Get-CIPPAlertMFAAdmins {
             }
         }
         if (!$DuoActive) {
-            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
             if ($users.UserPrincipalName) {
                 $AlertData = "The following admins do not have MFA registered: $($users.UserPrincipalName -join ', ')"
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAlertUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAlertUsers.ps1
@@ -12,7 +12,7 @@ function Get-CIPPAlertMFAAlertUsers {
     )
     try {
 
-        $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+        $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
         if ($users.UserPrincipalName) {
             $AlertData = "The following $($users.Count) users do not have MFA registered: $($users.UserPrincipalName -join ', ')"
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,10 @@`
`92`	`92`	`"isMFARegistered",`
`93`	`93`	`"defaultMFAMethod"`
`94`	`94`	`],`
`95`		`- "URL": "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails"`
	`95`	`+ "URL": "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails",`
	`96`	`+ "Parameters": {`
	`97`	`+ "asApp": "True"`
	`98`	`+ }`
`96`	`99`	`}`
`97`	`100`	`]`
`98`	`101`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ function Get-CIPPAlertMFAAdmins {`
`18`	`18`	`}`
`19`	`19`	`}`
`20`	`20`	`if (!$DuoActive) {`
`21`		- $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) \| Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
	`21`	+ $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true \| Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
`22`	`22`	`if ($users.UserPrincipalName) {`
`23`	`23`	`$AlertData = "The following admins do not have MFA registered: $($users.UserPrincipalName -join ', ')"`
`24`	`24`	`Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ function Get-CIPPAlertMFAAlertUsers {`
`12`	`12`	`)`
`13`	`13`	`try {`
`14`	`14`
`15`		- $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) \| Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
	`15`	+ $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true \| Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
`16`	`16`	`if ($users.UserPrincipalName) {`
`17`	`17`	`$AlertData = "The following $($users.Count) users do not have MFA registered: $($users.UserPrincipalName -join ', ')"`
`18`	`18`	`Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData`