Fix MFA admin alert, update mfa users alert

Author: rvdwegen

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1

@@ -23,7 +23,7 @@ function Get-CIPPAlertMFAAdmins {
 
             # Check 1: Admins with no MFA registered — prefer cache, fall back to live Graph
             $Users = if ($MFAReport) {
-                $MFAReport | Where-Object { $_.IsAdmin -eq $true -and $_.MFARegistration -eq $false -and ($IncludeDisabled -or $_.AccountEnabled -eq $true) }
+                $MFAReport | Where-Object { $_.IsAdmin -eq $true -and $_.MFARegistration -eq $false -and $_.UserType -ne 'Guest' -and ($IncludeDisabled -or $_.AccountEnabled -eq $true) }
             } else {
                 New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
                     Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' } |
@@ -35,6 +35,7 @@ function Get-CIPPAlertMFAAdmins {
             $UnenforcedAdmins = $MFAReport | Where-Object {
                 $_.IsAdmin -eq $true -and
                 $_.MFARegistration -eq $true -and
+                $_.UserType -ne 'Guest' -and
                 ($IncludeDisabled -or $_.AccountEnabled -eq $true) -and
                 $_.PerUser -notin @('Enforced', 'Enabled') -and
                 $null -ne $_.CoveredBySD -and

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAlertUsers.ps1

@@ -11,19 +11,24 @@ function Get-CIPPAlertMFAAlertUsers {
         $TenantFilter
     )
     try {
+        $MFAReport = try { Get-CIPPMFAStateReport -TenantFilter $TenantFilter | Where-Object { $_.DisplayName -ne 'On-Premises Directory Synchronization Service Account' } } catch { $null }
+
+        $Users = if ($MFAReport) {
+            $MFAReport | Where-Object { $_.IsAdmin -ne $true -and $_.MFARegistration -eq $false -and $_.UserType -ne 'Guest' -and $_.UPN -notmatch '^package_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@' }
+        } else {
+            New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
+                Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' -and $_.userPrincipalName -notmatch '^package_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@' } |
+                Select-Object @{n = 'UPN'; e = { $_.userPrincipalName } }, @{n = 'DisplayName'; e = { $_.userDisplayName } }
+        }
 
-        $Users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
-            Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' -and $_.userPrincipalName -notmatch '^package_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@' }
         if ($Users) {
             $AlertData = foreach ($user in $Users) {
                 [PSCustomObject]@{
-                    UserPrincipalName = $user.userPrincipalName
-                    DisplayName       = $user.userDisplayName
-                    LastUpdated       = $user.lastUpdatedDateTime
+                    UserPrincipalName = $user.UPN
+                    DisplayName       = $user.DisplayName
                 }
             }
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
-
         }
 
     } catch {