Collecting AzureAD User Authentication Method Information

Hello everyone, last Friday I received an e-mail from one of my customers, asking how to identify users in AzureAD that have enabled passwordless sign-in with the Microsoft Authenticator app. Previously I usually made use of the Script for Azure MFA authentication method analysis but that script uses the MSOnline PowerShell mode where the Get-Msoluser cmdlet doesn’t expose the information about these newer Authentication Methods.

So heading over to Microsoft Graph and there we can grab all the Authentication Methods for users as shown in the example below

So, I created Get-AzureADUserAuthMethodInventory.ps1, the script first retrieves all users in AzureAD and then retrieves the registered authentication methods for each user.

If you have not done so yet, install the Microsoft Graph PowerShell modules

find-module -name “Microsoft.graph” | Install-module -Scope CurrentUser

find-module -name Microsoft.Graph.Identity.AuthenticationMethods | install-module -Scope CurrentUser

Then run the following command

Connect-Graph -Scopes @(“UserAuthenticationMethod.Read.All”, “User.Read.All” )

Follow the instructions and grant consent

And finally run the script

$AuthInfo = .\Get-AzureADUserAuthMethodInventory.ps1

For each user found in AzureAD the following information is collected

Filter the results as needed.

The script and instructions can be found on GitHub here:

Hope you liked this blog post, as always feedback is welcome


Leave a Reply