GUI omits MFA details for non-mailbox users
rieck-srlabs opened this issue · comments
Summary
According to my tests, in a development Azure tenant (no active Azure subscription, just Entra ID + O365), newly created users in Entra ID (New user > Create new user) do not have the cloudMSExchRecipientDisplayType
field set (see SQL query below).
ROADTools filters out "mailbox users" in the /api/mfa
endpoint. This filter also removes users missing the cloudMSExchRecipientDisplayType
field. Is this expected?
Details
The MFA tab filters out "mailbox" users:
@app.route("/api/mfa", methods=["GET"])
def get_mfa():
# First get all users with per-user MFA
# per_user = db.session.query(AppRoleAssignment).filter(AppRoleAssignment.resourceDisplayName == "MicrosoftAzureActiveAuthn" and AppRoleAssignment.principalType == "User").all()
# enabledusers = []
# for approle in per_user:
# enabledusers.append(approle.principalId)
# Filter out mailbox users by default
all_mfa = db.session.query(User).filter(User.cloudMSExchRecipientDisplayType != 0, User.cloudMSExchRecipientDisplayType != 7, User.cloudMSExchRecipientDisplayType != 18).all()
In my test tenant, newly created users lack the cloudMSExchRecipientDisplayType
field, as can be seen in the response to the following SQL query:
SELECT userPrincipalName, cloudMSExchRecipientDisplayType
FROM users;
returns these rows:
AdeleV@1f147m.onmicrosoft.com|1073741824
AlexW@1f147m.onmicrosoft.com|1073741824
DiegoS@1f147m.onmicrosoft.com|1073741824
GradyA@1f147m.onmicrosoft.com|1073741824
HenriettaM@1f147m.onmicrosoft.com|1073741824
IsaiahL@1f147m.onmicrosoft.com|1073741824
JohannaL@1f147m.onmicrosoft.com|1073741824
JoniS@1f147m.onmicrosoft.com|1073741824
josephine.testuser@1f147m.onmicrosoft.com|
LeeG@1f147m.onmicrosoft.com|1073741824
LidiaH@1f147m.onmicrosoft.com|1073741824
LynneR@1f147m.onmicrosoft.com|1073741824
mandatory-mfa@1f147m.onmicrosoft.com|
MeganB@1f147m.onmicrosoft.com|1073741824
MiriamG@1f147m.onmicrosoft.com|1073741824
NestorW@1f147m.onmicrosoft.com|1073741824
PattiF@1f147m.onmicrosoft.com|1073741824
PradeepG@1f147m.onmicrosoft.com|1073741824
josephine.testuser@1f147m.onmicrosoft.com
and mandatory-mfa@1f147m.onmicrosoft.com
have no value set for cloudMSExchRecipientDisplayType
.
Documentation wanted
Side comment: What do the magic values 0
, 7
and 18
stand for in the code snippet above? I found some results for 0
and 7
, but nothing for 18
.
Thanks for the report. The filtering was indeed a bit too broad. The goal here was to filter out Exchange objects that do not represent actual users, since those won't be expected to have MFA since they don't authenticate. I have updated the filter so it doesn't filter out users without a mailbox. I'll get back to you if I can find the exact values again for documentation purposes.