dirkjanm
CAOptics import plugin
Intro
I created a plugin that generates a report containing the per-user MFA status of every user in a given tenant, based in Conditional Access Policies instead of the legacy per-user MFA system. My intention is to publish a more detailed post about how it works but meanwhile I make a brief explanation here about how to use it.
The plugin imports the CSV report generated from CAOptics for a given tenant, then it takes this data and the actual Conditional Access Policies stored in the ROADrecon database. The plugin processes these two sources to get a deterministic per-user MFA status (Enabled/Disabled/Conditional) given by Conditional Access, which is independent from the original per-user MFA mechanisms that ROADrecon implements right now.
Usage
A CAOptics report with the --allTerminations flag is required to launch the plugin. It can be retrieved with the following command:
node ./ca/main.js --mapping --clearTokenCache --clearMappingCache --allTerminations
After that, locate the CSV report and note its name (let's call it caoptics_report.csv here).
Then, sign-in in ROADrecon with a user with the policy.read.all privilege assigned through a role such as Global Reader:
python .\roadrecon\roadtools\roadrecon\main.py auth --device-code
Gather the tenant information with the gather command:
python .\roadrecon\roadtools\roadrecon\main.py gather --mfa
Finally, launch the plugin by specifying the CAOptics report path with the --input_file flag:
python .\roadrecon\roadtools\roadrecon\main.py plugin caopticsimport --input_file caoptics_report.csv
The final report will be written in a separate CSV file called output_report.csv by default, although this can be changed with the --output_file flag. There is also an option of getting a console output by specifying the --print flag, which displays a color code depending on the MFA status, but skips some additonal info such as conditions and CAP lists.
