CAOptics import plugin

[acap4z]

Intro

I created a plugin that generates a report containing the per-user MFA status of every user in a given tenant, based in Conditional Access Policies instead of the legacy per-user MFA system. My intention is to publish a more detailed post about how it works but meanwhile I make a brief explanation here about how to use it.

The plugin imports the CSV report generated from CAOptics for a given tenant, then it takes this data and the actual Conditional Access Policies stored in the ROADrecon database. The plugin processes these two sources to get a deterministic per-user MFA status (Enabled/Disabled/Conditional) given by Conditional Access, which is independent from the original per-user MFA mechanisms that ROADrecon implements right now.

Usage

A CAOptics report with the --allTerminations flag is required to launch the plugin. It can be retrieved with the following command:

node ./ca/main.js --mapping --clearTokenCache --clearMappingCache --allTerminations

After that, locate the CSV report and note its name (let's call it caoptics_report.csv here).

Then, sign-in in ROADrecon with a user with the policy.read.all privilege assigned through a role such as Global Reader:

python .\roadrecon\roadtools\roadrecon\main.py auth --device-code

Gather the tenant information with the gather command:

python .\roadrecon\roadtools\roadrecon\main.py gather --mfa

Finally, launch the plugin by specifying the CAOptics report path with the --input_file flag:

python .\roadrecon\roadtools\roadrecon\main.py plugin caopticsimport --input_file caoptics_report.csv

The final report will be written in a separate CSV file called output_report.csv by default, although this can be changed with the --output_file flag. There is also an option of getting a console output by specifying the --print flag, which displays a color code depending on the MFA status, but skips some additonal info such as conditions and CAP lists.