How to Ensure Modern Authentication is Enabled in Office 365 with PowerShell

Modern authentication is a security feature in Office 365 that uses Azure Active Directory (AAD) to authenticate users. It stands as a beacon of security, overshadowing traditional authentication methods such as Basic Authentication. The reason? Modern authentication employs stronger encryption and the added layer of two-factor authentication, making it a formidable defense mechanism in today’s cyber landscape.

Understanding the Script

At its core, the script is designed to provide clarity on the status of modern authentication across user profiles in an Office 365 environment. How does it achieve this? By meticulously looping through each user profile on the machine and inspecting the registry values tied to modern authentication. If it encounters a value set to 0, it’s a clear indicator that modern authentication is disabled for that specific user profile.

The Script

#Requires -Version 5.1

<#
.SYNOPSIS
    Monitors if user profiles have modern auth for Office 365 enabled or disabled.
.DESCRIPTION
    Monitors if user profiles have modern auth for Office 365 enabled or disabled.
    Check if HKEY_CURRENT_USERSOFTWAREMicrosoftOffice15.0CommonIdentityEnableADAL is set to 1.
    Check if HKEY_CURRENT_USERSOFTWAREMicrosoftOffice16.0CommonIdentityEnableADAL is set to 0.
    Returns an exit code of 1 if one user has modern auth disabled.
    Returns an exit code of 0 if all user have modern auth enabled.
.EXAMPLE
     No parameter needed.
.OUTPUTS
    None
.NOTES
    Minimum OS Architecture Supported: Windows 10, Windows Server 2016
    Release Notes:
    Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>

[CmdletBinding()]
param ()

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
    }
}
process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }
    # Loop through each user's profile
    # Check if HKEY_CURRENT_USERSOFTWAREMicrosoftOffice15.0CommonIdentityEnableADAL is set to 1
    # Check if HKEY_CURRENT_USERSOFTWAREMicrosoftOffice16.0CommonIdentityEnableADAL is set to 1

    $Path = @("SOFTWAREMicrosoftOffice15.0CommonIdentity", "SOFTWAREMicrosoftOffice16.0CommonIdentity")
    $Name = "EnableADAL"

    $Script:FoundModernAuthDisabled = $false

    # Get each user profile SID and Path to the profile
    $UserProfiles = Get-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionProfileList*" |
        Where-Object { $_.PSChildName -match "S-1-5-21-(d+-?){4}$" } |
        Select-Object @{Name = "SID"; Expression = { $_.PSChildName } }, @{Name = "UserHive"; Expression = { "$($_.ProfileImagePath)NTuser.dat" } }, @{Name = "UserName"; Expression = { "$($_.ProfileImagePath | Split-Path -Leaf)" } }

    # Loop through each profile on the machine
    Foreach ($UserProfile in $UserProfiles) {
        # Load User ntuser.dat if it's not already loaded
        If (($ProfileWasLoaded = Test-Path -Path "Registry::HKEY_USERS$($UserProfile.SID)") -eq $false) {
            Start-Process -FilePath "cmd.exe" -ArgumentList "/C reg.exe LOAD HKU$($UserProfile.SID) $($UserProfile.UserHive)" -Wait -WindowStyle Hidden
        }

        # Read the user's registry
        $Path | ForEach-Object {
            $Key = Join-Path -Path "Registry::HKEY_USERS$($UserProfile.SID)" -ChildPath $($_)
            $Value = Get-ItemProperty -Path $Key -ErrorAction SilentlyContinue | Select-Object $Name -ExpandProperty $Name -ErrorAction SilentlyContinue
            if (
                (
                    $_ -like "*15.0*" -and
                    $Value -ne 1 -and
                    $(Test-Path -Path $Key -ErrorAction SilentlyContinue)
                ) -or
                (
                    $_ -like "*16.0*" -and
                    $Value -eq 0
                )
            ) {
                Write-Host "$($UserProfile.UserName) ModernAuth is not enabled."
                $Script:FoundModernAuthDisabled = $true
            }
        }
 
        # Unload NTuser.dat
        If ($ProfileWasLoaded -eq $false) {
            [gc]::Collect()
            Start-Sleep 1
            Start-Process -FilePath "cmd.exe" -ArgumentList "/C reg.exe UNLOAD HKU$($UserProfile.SID)" -Wait -WindowStyle Hidden | Out-Null
        }
    }
    if ($FoundModernAuthDisabled) {
        Write-Output $false
        exit 1
    }
    else {
        Write-Output $true
        exit 0
    }
}
end {}

 

How IT Professionals Stand to Benefit

The script isn’t just a tool; it’s a solution tailored for IT professionals. Here’s how it can be a game-changer:

1. Proactive Monitoring: Before a potential security lapse becomes a full-blown issue, the script allows IT professionals to identify and address instances where modern authentication is disabled.
2. Efficiency at Its Best: Time is of the essence in IT. The script automates the otherwise tedious process of individually checking each user profile, freeing up valuable time.
3. Clarity and Direction: No more guesswork. The script offers clear feedback on which user profiles require attention, paving the way for targeted and effective remediation.

NinjaOne: Your Partner in IT Management

While the script offers a focused solution, integrating it with a comprehensive IT management platform like NinjaOne amplifies its capabilities. NinjaOne provides a unified platform that simplifies IT operations. When it comes to modern authentication in Office 365, NinjaOne can seamlessly run the script at scheduled intervals. The result? Real-time alerts to IT teams about any discrepancies, ensuring that security remains uncompromised.

Final Thoughts

In the ever-evolving world of IT, modern authentication in Office 365 is not just a feature; it’s a necessity. By leveraging the discussed script and integrating it with robust solutions like NinjaOne, IT professionals can fortify their defenses, ensuring that their organizations are always a step ahead in the cybersecurity game.