Collect statistics on user enrolled authenticators

Information

You can download the script for collecting statistics from this link.

Prerequisites

• The Active Directory module for PowerShell installed on Windows Server.
• A working Axidian Access server.
• The user on whose behalf the script will be run must have the minimal global Inspector rights in the Axidian Access system.

How the script works

The operation of the script consists of several stages:

1. The script iterates over the policy identifiers from the array in the configuration file Config.ps1.
2. Using the /api/v5/policy/get method, information about the policy is requested.
3. From the scope property, information about the configured objects is requested using the /api/v5/userCatalog/getObjects method.
4. From the obtained objects, users are requested:
   • Using the PowerShell cmdlet Get-ADGroup in the function getUsersCN of the file Base/AdditionalFunctions/GetUsers.ps1 for an Active Directory group.
   • Using the PowerShell cmdlet Get-ADUser in the function getUsersOU of the file Base/AdditionalFunctions/GetUsers.ps1 for an Active Directory organizational unit.
5. For the obtained users, a report is compiled on the state of the authenticators specified in the AuthForReport variable of the file Config.ps1.
   • Using the /api/v5/authenticator/findByUserIds method, information with all the internal GUIDs of the user's authenticators is requested.
   • Using the /api/v5/authenticator/getUserAuth method, information for a specific GUID is requested.
6. Using the addDataToCSV function of the file Base/AdditionalFunctions/CsvReport.ps1 a table in CSV format is assembled.

Configuration

For the script to work, you need to configure the file Config.ps1, which is located in the root of the folder with the script.

In the file:

• $serverUrl — URL of the Axidian Access server. Required parameter.

• $logsOnFile — enabling\disabling logging to a file. Required parameter. Enabled by default.

• $logsOnConsole — enabling\disabling logging to the console. Required parameter. Disabled by default.

• $apiVersion — version of the API used in the script. Required parameter. Default value: v5.

• $policyIds — policy identifiers, from whose scope the users are requested.

• $AuthForReport — this variable specifies the GUIDs of the Axidian authenticators and their name for the report. The name can be arbitrary. The values are specified in the following format: 'GUID' = "Name".

  Example of configuration for Axidian Key and Passcode

  $AuthForReport      = @{
      'F696F05D-5466-42b4-BF52-21BEE1CB9529' = 'Passcode'
      'DEEF0CB8-AD2F-4B89-964A-B6C7ECA80C68' = 'Push notification in Axidian Key'
  }

• $csvPathToReport — path to the CSV report file. By default the file is created in the script folder at the path Reports\Statistics.

Example of execution

1. To run the script, execute the file main.ps1.

2. During the execution of the script, a CSV-format file will be created at the path from the $csvPathToReport variable.

   Note

   Users are added to the report sequentially.