Hello everyone, last Friday I received an e-mail from one of my customers, asking how to identify users in AzureAD that have enabled passwordless sign-in with the Microsoft Authenticator app. Previously I usually made use of the Script for Azure MFA authentication method analysis but that script uses the MSOnline PowerShell mode where the Get-Msoluser cmdlet doesn’t expose the information about these newer Authentication Methods.
So heading over to Microsoft Graph and there we can grab all the Authentication Methods for users as shown in the example below
So, I created Get-AzureADUserAuthMethodInventory.ps1, the script first retrieves all users in AzureAD and then retrieves the registered authentication methods for each user.
If you have not done so yet, install the Microsoft Graph PowerShell modules
find-module -name “Microsoft.graph” | Install-module -Scope CurrentUser
find-module -name Microsoft.Graph.Identity.AuthenticationMethods | install-module -Scope CurrentUser
Then run the following command
Connect-Graph -Scopes @(“UserAuthenticationMethod.Read.All”, “User.Read.All” )
Follow the instructions and grant consent
And finally run the script
$AuthInfo = .\Get-AzureADUserAuthMethodInventory.ps1
For each user found in AzureAD the following information is collected
Filter the results as needed.
The script and instructions can be found on GitHub here: https://github.com/alexverboon/PowerShellCode/tree/main/AzureAD/MFA/MfaAuthMethodsAnalysisV2
Hope you liked this blog post, as always feedback is welcome
Alex