2

Get MFA Methods using MSGraph API and PowerShell SDK

With the recent announcement of the Azure AD API deprecation, I’ve made an effort to try and migrate all of my scripts to use Microsoft Graph API. Microsoft Graph API is the latest standard for managing everything Microsoft 365 and it is continuing to be developed for the foreseeable future. In this article, I’m going to share the script to Get MFA Methods using MSGraph API and PowerShell SDK.

Previously, I had to get this information using the old MSOnline (MSOL) module, however, since that is also deprecated, I thought it would be a good opportunity to freshen up my MSGraph skills and get this going.

Requirements

In order for this to work, there are a couple of requirements that need to be put in place prior to running the script. While it is not a technical requirement, it would be ideal to have a basic understanding of Microsoft Graph API application and delegated permissions, scopes, apps, consent and maybe a sprinkle of Service Principals.
 

If you want to get started on learning how to use Microsoft Graph API, be sure to check out How To Connect To Microsoft Graph API Using PowerShell.

This will cover everything you need to know and get you up and running in no time.

Now for the actual technical requirements:

  • An App/Service Principal to connect to Graph API -or granted consent to connect to Graph API as yourself
  • Microsoft.Graph PowerShell Module
  • Graph API Scopes (Delegated or Application permissions)
    • UserAuthenticationMethod.Read.All
    • Directory.Read.All
    • User.Read.All

Script Parameters

    UserId

Specify the UserPrincipalName or Id for the user you want to check authentication methods for.

    MethodType

Specify the method type you would like to filter for.

Get MFA Methods using MSGraph API

Now let’s get to the PowerShell script. As mentioned, this is a function that will gather all of the authentication methods a user has registered for their account. All Auth methods except for “Password Authentication” are strong authentication methods. Another note, this uses Get-MgUserAuthenticationMethod under the hood and formats everything in a way that’s human readable.

Function Get-MsGraphAuthenticationMethod {
<#
.SYNOPSIS
    List MFA Authentication Methods for users using Graph API. A session using Connect-Graph must be open as a requirement.


.NOTES
    Name: Get-MsGraphAuthenticationMethod
    Author: [email protected]
    Version: 1.1
    DateCreated: 2021-Jan-20


.EXAMPLE
    Get-MsGraphAuthenticationMethod -UserId [email protected], [email protected]


.EXAMPLE
    Get-MsGraphAuthenticationMethod -UserId [email protected], [email protected] -MethodType MicrosoftAuthenticatorApp, EmailAuthencation

.LINK
    https://thesysadminchannel.com/get-mfa-methods-using-msgraph-api-and-powershell-sdk/ -
#>

    [CmdletBinding()]
    param(
        [Parameter(
            Mandatory = $true,
            Position = 0
            )]
        [Alias('UserPrincipalName')]
        [string[]]  $UserId,


        [Parameter(
            Mandatory = $false
        )]
        [ValidateSet('AuthenticatorApp', 'PhoneAuthentication', 'Fido2', 'WindowsHelloForBusiness', 'EmailAuthentication', 'TemporaryAccessPass', 'Passwordless', 'SoftwareOath')]
        [string[]]   $MethodType
    )

    BEGIN {
        $ConnectionGraph = Get-MgContext
        if (-not $ConnectionGraph) {
            Write-Error "Please connect to Microsoft Graph" -ErrorAction Stop
        }

    }

    PROCESS {
        foreach ($User in $UserId) {
            try {
                $DeviceList = Get-MgUserAuthenticationMethod -UserId $User -ErrorAction Stop
                $DeviceOutput = foreach ($Device in $DeviceList) {

                    #Converting long method to short-hand human readable method type.
                    switch ($Device.AdditionalProperties["@odata.type"]) {
                        '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'  {
                            $MethodAuthType     = 'AuthenticatorApp'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }

                        '#microsoft.graph.phoneAuthenticationMethod'                   {
                            $MethodAuthType     = 'PhoneAuthentication'
                            $AdditionalProperties = $Device.AdditionalProperties["phoneType", "phoneNumber"] -join ' '
                        }

                        '#microsoft.graph.passwordAuthenticationMethod'                {
                            $MethodAuthType     = 'PasswordAuthentication'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }

                        '#microsoft.graph.fido2AuthenticationMethod'                   {
                            $MethodAuthType     = 'Fido2'
                            $AdditionalProperties = $Device.AdditionalProperties["model"]
                        }

                        '#microsoft.graph.windowsHelloForBusinessAuthenticationMethod' {
                            $MethodAuthType     = 'WindowsHelloForBusiness'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }

                        '#microsoft.graph.emailAuthenticationMethod'                   {
                            $MethodAuthType     = 'EmailAuthentication'
                            $AdditionalProperties = $Device.AdditionalProperties["emailAddress"]
                        }

                        '#microsoft.graph.temporaryAccessPassAuthenticationMethod'        {
                            $MethodAuthType     = 'TemporaryAccessPass'
                            $AdditionalProperties = 'TapLifetime:' + $Device.AdditionalProperties["lifetimeInMinutes"] + 'm - Status:' + $Device.AdditionalProperties["methodUsabilityReason"]
                        }

                        '#microsoft.graph.passwordlessMicrosoftAuthenticatorAuthenticationMethod' {
                            $MethodAuthType     = 'Passwordless'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }

                        '#microsoft.graph.softwareOathAuthenticationMethod' {
                            $MethodAuthType     = 'SoftwareOath'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }
                    }

                    [PSCustomObject]@{
                        UserPrincipalName      = $User
                        AuthenticationMethodId = $Device.Id
                        MethodType             = $MethodAuthType
                        AdditionalProperties   = $AdditionalProperties
                    }
                }

                if ($PSBoundParameters.ContainsKey('MethodType')) {
                    $DeviceOutput | Where-Object {$_.MethodType -in $MethodType}
                  } else {
                    $DeviceOutput
                }

            } catch {
                Write-Error $_.Exception.Message

            } finally {
                $DeviceList           = $null
                $MethodAuthType       = $null
                $AdditionalProperties = $null

            }
        }
    }

    END {}

}

Script Examples

Get-MsGraphAuthenticationMethod -UserId [email protected], [email protected]

Get MFA Methods using MSGraph API and PowerShell SDK

Display all authentication methods for both Paul and Buzz


 

Get-MsGraphAuthenticationMethod -UserId [email protected], [email protected] -MethodType AuthenticatorApp, TemporaryAccessPass

Get MFA Methods using MSGraph API and PowerShell SDK

Display only AuthenticatorApp and Temporary Access Pass method types

Conclusion

Hopefully this script to Get MFA Methods using MSGraph API and PowerShell SDK would be useful to replace the legacy method of querying MSOnline to get the user’s strong auth methods. Since this utilizes Microsoft Graph and REST APIs in the backend, it can work extremely fast with PowerShell 7 and Foreach-Object -Parallel.
 

I use this on a regular basis to see if a user has MFA enabled on their account. The only downside so far is that it does not show the default method type, but I’m sure that’s somewhere down the pipeline.
 

If you liked this script and wanted to get more exposure to Graph API, I’ve just recently created the subreddit https://reddit.com/r/graphapi for folks to who want to learn and ask questions. I’m also going to be posting all my conversion scripts from the Azure AD module to GraphAPI so be sure check in time to time on our Graph API category posts

5/5 - (11 votes)

Paul

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.

2 Comments

  1. Hi Paul, Great script. One enhancement could be that all this is saved in csv format.

    • Hi Mark – Thanks for the feedback. Typically this should be done outside of the function since some users won’t want to export it and some will.

      If you’re checking everyone in the domain, exporting to a csv would be very helpful. However if checking 1 or 2 users it makes more sense to output it to the console

Leave a Reply

Your email address will not be published.