question

GovindS-6679 avatar image
0 Votes"
GovindS-6679 asked azure-cxp-api edited

How to get MFA list against users in my company using api?

Hi, This is govind. In my company have more user accounts. Also some users using MFA authentication. I need to know mfa list for each
user. Am search the API's documentation for active directory. But i cant able to get the API. Can anyone guide me to get the respective API for getting MFA list against users in my company.

Thanks in advance.

azure-ad-graphazure-ad-tenant
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered GovindS-6679 commented

@GovindS-6679, Thank you for reaching out. You can try using the following Microsoft Graph API:

API: GET https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails

This would get you the following output:

 HTTP/1.1 200 OK
 Content-Type: application/json
    
 {
   "@odata.context":"https://graph.microsoft.com/beta/reports/$metadata#Collection(microsoft.graph.credentialUserRegistrationDetails)",
   "value":[
     {
       "id" : "id-value",
       "userPrincipalName":"userPrincipalName",
       "userDisplayName": "userDisplayName-value",
       "authMethods": ["email", "mobileSMS"],
       "isRegistered" : false,
       "isEnabled" : true,
       "isCapable" : false,
       "isMfaRegistered" : true
     }
   ]
 }

So you can check if the key "isMFARegistered" is true or not get the list of the users for whom MFA is enabled. You can also get the details of the authMethods set by that user to attending the MFA prompt.

More details on this API can be found here: https://docs.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GovindS-6679, Just wanted to check if the above response helped in answering your query. Do let me know if there are any more queries around this so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

1 Vote 1 ·

Hi,
Thanks for your update.
I checked this api on postman, its working fine.
But after i implement this api on my local nodejs project also its working fine.

But after i deploy my project to live production server, its give "Failed to do premium license check from ADGraph" error.

This api didn't support the production environment. Can you suggest some other option to pull mfa lists for user.

Thanks again.

0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered GovindS-6679 rolled back

@GovindS-6679, Unfortunately, there are no more APIs available. The one shared is the latest available API for MFA from Graph. I believe since this is a beta API hence it's not supported for deployment in the production environment. Though I can share you a PS script that might help you a bit in generating the MFA results for your user.

 Param 
 ( 
     [Parameter(Mandatory = $false)] 
     [switch]$DisabledOnly, 
     [switch]$EnabledOnly, 
     [switch]$EnforcedOnly, 
     [switch]$ConditionalAccessOnly, 
     [switch]$AdminOnly, 
     [switch]$LicensedUserOnly, 
     [Nullable[boolean]]$SignInAllowed = $null, 
     [string]$UserName,  
     [string]$Password 
 ) 
 #Check for MSOnline module 
 $Modules=Get-Module -Name MSOnline -ListAvailable  
 if($Modules.count -eq 0) 
 { 
   Write-Host  Please install MSOnline module using below command: `nInstall-Module MSOnline  -ForegroundColor yellow  
   Exit 
 } 
     
 #Storing credential in script for scheduling purpose/ Passing credential as parameter  
 if(($UserName -ne "") -and ($Password -ne ""))  
 {  
  $SecuredPassword = ConvertTo-SecureString -AsPlainText $Password -Force  
  $Credential  = New-Object System.Management.Automation.PSCredential $UserName,$SecuredPassword  
  Connect-MsolService -Credential $credential 
 }  
 else  
 {  
  Connect-MsolService | Out-Null  
 }   
    
 $Result=""   
 $Results=@()  
 $UserCount=0 
 $PrintedUser=0 
     
 #Output file declaration 
 $ExportCSV=".\MFADisabledUserReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" 
 $ExportCSVReport=".\MFAEnabledUserReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" 
     
     
 #Loop through each user 
 Get-MsolUser -All | foreach{ 
  $UserCount++ 
  $DisplayName=$_.DisplayName 
  $Upn=$_.UserPrincipalName 
  $MFAStatus=$_.StrongAuthenticationRequirements.State 
  $MethodTypes=$_.StrongAuthenticationMethods 
  Write-Progress -Activity "`n     Processed user count: $UserCount "`n"  Currently Processing: $DisplayName" 
  if($_.BlockCredential -eq "True") 
  {  
   $SignInStatus="False" 
  } 
  else 
  { 
   $SignInStatus="True" 
  } 
      
  #Filter result based on SignIn status 
  if(($SignInAllowed -ne $null) -and ([string]$SignInAllowed -ne [string]$SignInStatus)) 
  { 
   return 
  } 
     
  #Filter result based on License status 
  if(($LicensedUserOnly.IsPresent) -and ($_.IsLicensed -eq $False)) 
  { 
   return 
  } 
     
  #Check for user's Admin role 
  $Roles=(Get-MsolUserRole -UserPrincipalName $upn).Name 
  if($Roles.count -eq 0)  
  {  
   $IsAdmin="False"  
  }  
  else 
  { 
   $IsAdmin="True" 
  } 
       
  #Filter result based on Admin users 
  if(($AdminOnly.IsPresent) -and ([string]$IsAdmin -eq "False")) 
  { 
   return 
  } 
     
  #Check for MFA enabled user 
  if(($MethodTypes -ne $Null) -or ($MFAStatus -ne $Null) -and (-Not ($DisabledOnly.IsPresent) )) 
  { 
   #Check for Conditional Access 
   if($MFAStatus -eq $null) 
   { 
    $MFAStatus='Enabled via Conditional Access' 
   } 
     
   #Filter result based on EnforcedOnly filter 
   if((([string]$MFAStatus -eq "Enabled") -or ([string]$MFAStatus -eq "Enabled via Conditional Access")) -and ($EnforcedOnly.IsPresent)) 
   {  
    return 
   } 
       
   #Filter result based on EnabledOnly filter 
   if(([string]$MFAStatus -eq "Enforced") -and ($EnabledOnly.IsPresent)) 
   {  
    return 
   } 
     
   #Filter result based on MFA enabled via conditional access 
   if((($MFAStatus -eq "Enabled") -or ($MFAStatus -eq "Enforced")) -and ($ConditionalAccessOnly.IsPresent)) 
   { 
    return 
   } 
     
   $Methods="" 
   $MethodTypes="" 
   $MethodTypes=$_.StrongAuthenticationMethods.MethodType 
   $DefaultMFAMethod=($_.StrongAuthenticationMethods | where{$_.IsDefault -eq "True"}).MethodType 
   $MFAPhone=$_.StrongAuthenticationUserDetails.PhoneNumber 
   $MFAEmail=$_.StrongAuthenticationUserDetails.Email 
     
   if($MFAPhone -eq $Null) 
   { $MFAPhone="-"} 
   if($MFAEmail -eq $Null) 
   { $MFAEmail="-"} 
     
   if($MethodTypes -ne $Null) 
   { 
    $ActivationStatus="Yes" 
    foreach($MethodType in $MethodTypes) 
    { 
     if($Methods -ne "") 
     { 
      $Methods=$Methods+"," 
     } 
     $Methods=$Methods+$MethodType 
    } 
   } 
     
   else 
   {  
    $ActivationStatus="No" 
    $Methods="-" 
    $DefaultMFAMethod="-" 
    $MFAPhone="-" 
    $MFAEmail="-" 
   } 
     
   #Print to output file 
   $PrintedUser++ 
   $Result=@{'DisplayName'=$DisplayName;'UserPrincipalName'=$upn;'MFAStatus'=$MFAStatus;'ActivationStatus'=$ActivationStatus;'DefaultMFAMethod'=$DefaultMFAMethod;'AllMFAMethods'=$Methods;'MFAPhone'=$MFAPhone;'MFAEmail'=$MFAEmail;'LicenseStatus'=$_.IsLicensed;'IsAdmin'=$IsAdmin; 'SignInStatus'=$SigninStatus}  
   $Results= New-Object PSObject -Property $Result  
   $Results | Select-Object DisplayName,UserPrincipalName,MFAStatus,ActivationStatus,DefaultMFAMethod,AllMFAMethods,MFAPhone,MFAEmail,LicenseStatus,IsAdmin,SignInStatus | Export-Csv -Path $ExportCSVReport -Notype -Append 
  } 
     
  #Check for disabled userwe 
  elseif(($DisabledOnly.IsPresent) -and ($MFAStatus -eq $Null) -and ($_.StrongAuthenticationMethods.MethodType -eq $Null)) 
  { 
   $MFAStatus="Disabled" 
   $Department=$_.Department 
   if($Department -eq $Null) 
   { $Department="-"} 
   $PrintedUser++ 
   $Result=@{'DisplayName'=$DisplayName;'UserPrincipalName'=$upn;'$Department'=$Department;'MFAStatus'=$MFAStatus;'LicenseStatus'=$_.IsLicensed;'IsAdmin'=$IsAdmin; 'SignInStatus'=$SigninStatus}  
   $Results= New-Object PSObject -Property $Result  
   $Results | Select-Object DisplayName,UserPrincipalName,Department,MFAStatus,LicenseStatus,IsAdmin,SignInStatus | Export-Csv -Path $ExportCSV -Notype -Append 
  } 
 } 
     
 #Open output file after execution  
 Write-Host `nScript executed successfully 
 if((Test-Path -Path $ExportCSV) -eq "True") 
 { 
  Write-Host "MFA Disabled user report available in: $ExportCSV"  
  $Prompt = New-Object -ComObject wscript.shell   
  $UserInput = $Prompt.popup("Do you want to open output file?",`   
  0,"Open Output File",4)   
  If ($UserInput -eq 6)   
  {   
   Invoke-Item "$ExportCSV"   
  }  
  Write-Host Exported report has $PrintedUser users 
 } 
 elseif((Test-Path -Path $ExportCSVReport) -eq "True") 
 { 
  Write-Host "MFA Enabled user report available in: $ExportCSVReport"  
  $Prompt = New-Object -ComObject wscript.shell   
  $UserInput = $Prompt.popup("Do you want to open output file?",`   
  0,"Open Output File",4)   
  If ($UserInput -eq 6)   
  {   
   Invoke-Item "$ExportCSVReport"   
  }  
  Write-Host Exported report has $PrintedUser users 
 } 
 Else 
 { 
   Write-Host No user found that matches your criteria. 
 } 
 #Clean up session  
 Get-PSSession | Remove-PSSession

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yeah, thanks soumi-MSFT. I will check and update you. Thanks again

0 Votes 0 ·

Hi,
I have an another issue in given powershell script. In this script, it is asked email and password on dialog box when i connect Connect-MsolService. i need to restrict this. Even i pass my email and password in script also, its asked again.
Please guide me to fix this.


Thanks in advance.

0 Votes 0 ·

Hi @GovindS-6679, If you do not want to script to prompt you to enter the username and password everytime you run this script, then you would have to hard code the username and password in this script for it to not prompt you.

In order to do this, you can try this:

Just add the following two lines above the section where the Connect-MSOnline command is being called.

  $UserName = "{userPrincipalName used to login to AAD}"
  $Password = "{Password}"


0 Votes 0 ·

@GovindS-6679, Your code should look something like this:

  #Storing credential in script for scheduling purpose/ Passing credential as parameter  
  $UserName = "{userPrincipalName used to login to AAD}"
  $Password = "{Password}"
    
  if(($UserName -ne "") -and ($Password -ne ""))  
  {  
   $SecuredPassword = ConvertTo-SecureString -AsPlainText $Password -Force  
   $Credential  = New-Object System.Management.Automation.PSCredential $UserName,$SecuredPassword  
   Connect-MsolService -Credential $credential 
  }  
  else  
  {  
   Connect-MsolService | Out-Null  
  } 


0 Votes 0 ·
Show more comments