msuserstats : Streamlining Hybrid Microsoft Environments For Enhanced User Account Management

The msuserstats tool is a robust PowerShell-based solution designed to streamline user account management in hybrid Microsoft environments that use both Entra ID (formerly Azure AD) and Active Directory (AD).

It addresses common challenges such as reviewing user accounts, enforcing Multi-Factor Authentication (MFA), and identifying inactive accounts to enhance IT security.

Core Features

1. Unified User View:
   msuserstats consolidates user accounts from Entra ID and AD into a single Excel file, avoiding duplicates by mapping accounts across platforms. This provides a comprehensive overview of member, guest, service, and admin accounts.
2. Account Activity Monitoring:
   The tool determines the last sign-in activity for users in both Entra ID and AD, publishing the most recent sign-in date to help identify inactive accounts.
3. MFA Reporting and Enforcement:
   Existing MFA methods are reported for all Entra ID users, including hardware tokens like OATH. Accounts without MFA enrollment can be blocked from accessing Office 365 services after a configurable grace period.
4. Advanced Categorization:
   User accounts can be classified based on organizational units (OUs) in AD, such as country or entity structures. Special exception groups can be configured for service accounts or long-term inactive users, ensuring flexibility in account governance.
5. Guest User Management:
   Guest accounts in Entra ID can be automatically deleted to maintain governance and security compliance.
6. Security Enhancements:
   The tool supports integration with pentesting results (e.g., weak passwords identified via tools like Mimikatz) to flag vulnerable accounts.

Technical Details

• Cross-Platform Support: While the tool supports PowerShell 7 for multi-platform use, certain features like AD user export require a Windows environment with RSAT tools installed.
• Output Formats: Reports are generated in CSV and XLSX formats for easy sharing and review.
• Configuration Options: Settings like tenant ID, inactive days threshold, and inclusion of AD can be customized in the config.ps1 file.

To begin using msuserstats:

1. Clone the repository from GitHub.
2. Install required PowerShell modules (ImportExcel, Microsoft.Graph.Users, etc.).
3. Configure settings in config.ps1 as per your environment.
4. Run the script using commands like ./msuserstats.ps1 to generate reports.

By automating routine account reviews and enforcing security policies, msuserstats simplifies user account management while enhancing organizational security.