How to get MFA list against users in my company using api?

Govind S 26 Reputation points
2020-09-11T12:29:59.673+00:00

Hi, This is govind. In my company have more user accounts. Also some users using MFA authentication. I need to know mfa list for each
user. Am search the API's documentation for active directory. But i cant able to get the API. Can anyone guide me to get the respective API for getting MFA list against users in my company.

Thanks in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-09-11T16:28:20.653+00:00

    @Govind S , Thank you for reaching out. You can try using the following Microsoft Graph API:

    API: GET https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails

    This would get you the following output: 

    HTTP/1.1 200 OK  
Content-Type: application/json  
  
{  
  "@odata.context":"https://graph.microsoft.com/beta/reports/$metadata#Collection(microsoft.graph.credentialUserRegistrationDetails)",  
  "value":[  
    {  
      "id" : "id-value",  
      "userPrincipalName":"userPrincipalName",  
      "userDisplayName": "userDisplayName-value",  
      "authMethods": ["email", "mobileSMS"],  
      "isRegistered" : false,  
      "isEnabled" : true,  
      "isCapable" : false,  
      "isMfaRegistered" : true  
    }  
  ]  
}

    So you can check if the key "isMFARegistered" is true or not get the list of the users for whom MFA is enabled. You can also get the details of the authMethods set by that user to attending the MFA prompt.

    More details on this API can be found here: https://learn.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-09-18T05:09:54.643+00:00

    @Govind S , Unfortunately, there are no more APIs available. The one shared is the latest available API for MFA from Graph. I believe since this is a beta API hence it's not supported for deployment in the production environment. Though I can share you a PS script that might help you a bit in generating the MFA results for your user. 

    Param   
(   
    [Parameter(Mandatory = $false)]   
    [switch]$DisabledOnly,   
    [switch]$EnabledOnly,   
    [switch]$EnforcedOnly,   
    [switch]$ConditionalAccessOnly,   
    [switch]$AdminOnly,   
    [switch]$LicensedUserOnly,   
    [Nullable[boolean]]$SignInAllowed = $null,   
    [string]$UserName,    
    [string]$Password   
)   
#Check for MSOnline module   
$Modules=Get-Module -Name MSOnline -ListAvailable    
if($Modules.count -eq 0)   
{   
  Write-Host  Please install MSOnline module using below command: `nInstall-Module MSOnline  -ForegroundColor yellow    
  Exit   
}   
   
#Storing credential in script for scheduling purpose/ Passing credential as parameter    
if(($UserName -ne "") -and ($Password -ne ""))    
{    
 $SecuredPassword = ConvertTo-SecureString -AsPlainText $Password -Force    
 $Credential  = New-Object System.Management.Automation.PSCredential $UserName,$SecuredPassword    
 Connect-MsolService -Credential $credential   
}    
else    
{    
 Connect-MsolService | Out-Null    
}     
  
$Result=""     
$Results=@()    
$UserCount=0   
$PrintedUser=0   
   
#Output file declaration   
$ExportCSV=".\MFADisabledUserReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv"   
$ExportCSVReport=".\MFAEnabledUserReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv"   
   
   
#Loop through each user   
Get-MsolUser -All | foreach{   
 $UserCount++   
 $DisplayName=$_.DisplayName   
 $Upn=$_.UserPrincipalName   
 $MFAStatus=$_.StrongAuthenticationRequirements.State   
 $MethodTypes=$_.StrongAuthenticationMethods   
 Write-Progress -Activity "`n     Processed user count: $UserCount "`n"  Currently Processing: $DisplayName"   
 if($_.BlockCredential -eq "True")   
 {    
  $SignInStatus="False"   
 }   
 else   
 {   
  $SignInStatus="True"   
 }   
    
 #Filter result based on SignIn status   
 if(($SignInAllowed -ne $null) -and ([string]$SignInAllowed -ne [string]$SignInStatus))   
 {   
  return   
 }   
   
 #Filter result based on License status   
 if(($LicensedUserOnly.IsPresent) -and ($_.IsLicensed -eq $False))   
 {   
  return   
 }   
   
 #Check for user's Admin role   
 $Roles=(Get-MsolUserRole -UserPrincipalName $upn).Name   
 if($Roles.count -eq 0)    
 {    
  $IsAdmin="False"    
 }    
 else   
 {   
  $IsAdmin="True"   
 }   
     
 #Filter result based on Admin users   
 if(($AdminOnly.IsPresent) -and ([string]$IsAdmin -eq "False"))   
 {   
  return   
 }   
   
 #Check for MFA enabled user   
 if(($MethodTypes -ne $Null) -or ($MFAStatus -ne $Null) -and (-Not ($DisabledOnly.IsPresent) ))   
 {   
  #Check for Conditional Access   
  if($MFAStatus -eq $null)   
  {   
   $MFAStatus='Enabled via Conditional Access'   
  }   
   
  #Filter result based on EnforcedOnly filter   
  if((([string]$MFAStatus -eq "Enabled") -or ([string]$MFAStatus -eq "Enabled via Conditional Access")) -and ($EnforcedOnly.IsPresent))   
  {    
   return   
  }   
     
  #Filter result based on EnabledOnly filter   
  if(([string]$MFAStatus -eq "Enforced") -and ($EnabledOnly.IsPresent))   
  {    
   return   
  }   
   
  #Filter result based on MFA enabled via conditional access   
  if((($MFAStatus -eq "Enabled") -or ($MFAStatus -eq "Enforced")) -and ($ConditionalAccessOnly.IsPresent))   
  {   
   return   
  }   
   
  $Methods=""   
  $MethodTypes=""   
  $MethodTypes=$_.StrongAuthenticationMethods.MethodType   
  $DefaultMFAMethod=($_.StrongAuthenticationMethods | where{$_.IsDefault -eq "True"}).MethodType   
  $MFAPhone=$_.StrongAuthenticationUserDetails.PhoneNumber   
  $MFAEmail=$_.StrongAuthenticationUserDetails.Email   
   
  if($MFAPhone -eq $Null)   
  { $MFAPhone="-"}   
  if($MFAEmail -eq $Null)   
  { $MFAEmail="-"}   
   
  if($MethodTypes -ne $Null)   
  {   
   $ActivationStatus="Yes"   
   foreach($MethodType in $MethodTypes)   
   {   
    if($Methods -ne "")   
    {   
     $Methods=$Methods+","   
    }   
    $Methods=$Methods+$MethodType   
   }   
  }   
   
  else   
  {    
   $ActivationStatus="No"   
   $Methods="-"   
   $DefaultMFAMethod="-"   
   $MFAPhone="-"   
   $MFAEmail="-"   
  }   
   
  #Print to output file   
  $PrintedUser++   
  $Result=@{'DisplayName'=$DisplayName;'UserPrincipalName'=$upn;'MFAStatus'=$MFAStatus;'ActivationStatus'=$ActivationStatus;'DefaultMFAMethod'=$DefaultMFAMethod;'AllMFAMethods'=$Methods;'MFAPhone'=$MFAPhone;'MFAEmail'=$MFAEmail;'LicenseStatus'=$_.IsLicensed;'IsAdmin'=$IsAdmin; 'SignInStatus'=$SigninStatus}    
  $Results= New-Object PSObject -Property $Result    
  $Results | Select-Object DisplayName,UserPrincipalName,MFAStatus,ActivationStatus,DefaultMFAMethod,AllMFAMethods,MFAPhone,MFAEmail,LicenseStatus,IsAdmin,SignInStatus | Export-Csv -Path $ExportCSVReport -Notype -Append   
 }   
   
 #Check for disabled userwe   
 elseif(($DisabledOnly.IsPresent) -and ($MFAStatus -eq $Null) -and ($_.StrongAuthenticationMethods.MethodType -eq $Null))   
 {   
  $MFAStatus="Disabled"   
  $Department=$_.Department   
  if($Department -eq $Null)   
  { $Department="-"}   
  $PrintedUser++   
  $Result=@{'DisplayName'=$DisplayName;'UserPrincipalName'=$upn;'$Department'=$Department;'MFAStatus'=$MFAStatus;'LicenseStatus'=$_.IsLicensed;'IsAdmin'=$IsAdmin; 'SignInStatus'=$SigninStatus}    
  $Results= New-Object PSObject -Property $Result    
  $Results | Select-Object DisplayName,UserPrincipalName,Department,MFAStatus,LicenseStatus,IsAdmin,SignInStatus | Export-Csv -Path $ExportCSV -Notype -Append   
 }   
}   
   
#Open output file after execution    
Write-Host `nScript executed successfully   
if((Test-Path -Path $ExportCSV) -eq "True")   
{   
 Write-Host "MFA Disabled user report available in: $ExportCSV"    
 $Prompt = New-Object -ComObject wscript.shell     
 $UserInput = $Prompt.popup("Do you want to open output file?",`     
 0,"Open Output File",4)     
 If ($UserInput -eq 6)     
 {     
  Invoke-Item "$ExportCSV"     
 }    
 Write-Host Exported report has $PrintedUser users   
}   
elseif((Test-Path -Path $ExportCSVReport) -eq "True")   
{   
 Write-Host "MFA Enabled user report available in: $ExportCSVReport"    
 $Prompt = New-Object -ComObject wscript.shell     
 $UserInput = $Prompt.popup("Do you want to open output file?",`     
 0,"Open Output File",4)     
 If ($UserInput -eq 6)     
 {     
  Invoke-Item "$ExportCSVReport"     
 }    
 Write-Host Exported report has $PrintedUser users   
}   
Else   
{   
  Write-Host No user found that matches your criteria.   
}   
#Clean up session    
Get-PSSession | Remove-PSSession

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further.