get mfa method graph api Archives - the Sysadmin Channel https://thesysadminchannel.com/tag/get-mfa-method-graph-api/ Documenting My Life as a System Administrator Mon, 07 Mar 2022 17:27:04 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.3 144174110 Get MFA Methods using MSGraph API and PowerShell SDK https://thesysadminchannel.com/get-mfa-methods-using-msgraph-api-and-powershell-sdk/ https://thesysadminchannel.com/get-mfa-methods-using-msgraph-api-and-powershell-sdk/#comments Tue, 15 Feb 2022 07:37:12 +0000 https://thesysadminchannel.com/?p=3806 With the recent announcement of the Azure AD API deprecation, I’ve made an effort to try and migrate all of my scripts to use Microsoft Graph API. Microsoft Graph API is the latest standard for managing everything Microsoft 365 and… Continue Reading

The post Get MFA Methods using MSGraph API and PowerShell SDK appeared first on the Sysadmin Channel.

]]> With the recent announcement of the Azure AD API deprecation, I’ve made an effort to try and migrate all of my scripts to use Microsoft Graph API. Microsoft Graph API is the latest standard for managing everything Microsoft 365 and it is continuing to be developed for the foreseeable future. In this article, I’m going to share the script to Get MFA Methods using MSGraph API and PowerShell SDK.

Previously, I had to get this information using the old MSOnline (MSOL) module, however, since that is also deprecated, I thought it would be a good opportunity to freshen up my MSGraph skills and get this going.

Requirements

In order for this to work, there are a couple of requirements that need to be put in place prior to running the script. While it is not a technical requirement, it would be ideal to have a basic understanding of Microsoft Graph API application and delegated permissions, scopes, apps, consent and maybe a sprinkle of Service Principals.
 

If you want to get started on learning how to use Microsoft Graph API, be sure to check out How To Connect To Microsoft Graph API Using PowerShell.

This will cover everything you need to know and get you up and running in no time.

Now for the actual technical requirements:

  • An App/Service Principal to connect to Graph API -or granted consent to connect to Graph API as yourself
  • Microsoft.Graph PowerShell Module
  • Graph API Scopes (Delegated or Application permissions)
    • UserAuthenticationMethod.Read.All
    • Directory.Read.All
    • User.Read.All

Script Parameters

    UserId

Specify the UserPrincipalName or Id for the user you want to check authentication methods for.

    MethodType

Specify the method type you would like to filter for.

Get MFA Methods using MSGraph API

Now let’s get to the PowerShell script. As mentioned, this is a function that will gather all of the authentication methods a user has registered for their account. All Auth methods except for “Password Authentication” are strong authentication methods. Another note, this uses Get-MgUserAuthenticationMethod under the hood and formats everything in a way that’s human readable.

Function Get-MsGraphAuthenticationMethod {
<#
.SYNOPSIS
    List MFA Authentication Methods for users using Graph API. A session using Connect-Graph must be open as a requirement.


.NOTES
    Name: Get-MsGraphAuthenticationMethod
    Author: paul@thesysadminchannel.com
    Version: 1.1
    DateCreated: 2021-Jan-20


.EXAMPLE
    Get-MsGraphAuthenticationMethod -UserId user1@domain.com, user2@domain.com


.EXAMPLE
    Get-MsGraphAuthenticationMethod -UserId user1@domain.com, user2@domain.com -MethodType MicrosoftAuthenticatorApp, EmailAuthencation

.LINK
    https://thesysadminchannel.com/get-mfa-methods-using-msgraph-api-and-powershell-sdk/ -
#>

    [CmdletBinding()]
    param(
        [Parameter(
            Mandatory = $true,
            Position = 0
            )]
        [Alias('UserPrincipalName')]
        [string[]]  $UserId,


        [Parameter(
            Mandatory = $false
        )]
        [ValidateSet('AuthenticatorApp', 'PhoneAuthentication', 'Fido2', 'WindowsHelloForBusiness', 'EmailAuthentication', 'TemporaryAccessPass', 'Passwordless', 'SoftwareOath')]
        [string[]]   $MethodType
    )

    BEGIN {
        $ConnectionGraph = Get-MgContext
        if (-not $ConnectionGraph) {
            Write-Error "Please connect to Microsoft Graph" -ErrorAction Stop
        }

    }

    PROCESS {
        foreach ($User in $UserId) {
            try {
                $DeviceList = Get-MgUserAuthenticationMethod -UserId $User -ErrorAction Stop
                $DeviceOutput = foreach ($Device in $DeviceList) {

                    #Converting long method to short-hand human readable method type.
                    switch ($Device.AdditionalProperties["@odata.type"]) {
                        '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'  {
                            $MethodAuthType     = 'AuthenticatorApp'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }

                        '#microsoft.graph.phoneAuthenticationMethod'                   {
                            $MethodAuthType     = 'PhoneAuthentication'
                            $AdditionalProperties = $Device.AdditionalProperties["phoneType", "phoneNumber"] -join ' '
                        }

                        '#microsoft.graph.passwordAuthenticationMethod'                {
                            $MethodAuthType     = 'PasswordAuthentication'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }

                        '#microsoft.graph.fido2AuthenticationMethod'                   {
                            $MethodAuthType     = 'Fido2'
                            $AdditionalProperties = $Device.AdditionalProperties["model"]
                        }

                        '#microsoft.graph.windowsHelloForBusinessAuthenticationMethod' {
                            $MethodAuthType     = 'WindowsHelloForBusiness'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }

                        '#microsoft.graph.emailAuthenticationMethod'                   {
                            $MethodAuthType     = 'EmailAuthentication'
                            $AdditionalProperties = $Device.AdditionalProperties["emailAddress"]
                        }

                        '#microsoft.graph.temporaryAccessPassAuthenticationMethod'        {
                            $MethodAuthType     = 'TemporaryAccessPass'
                            $AdditionalProperties = 'TapLifetime:' + $Device.AdditionalProperties["lifetimeInMinutes"] + 'm - Status:' + $Device.AdditionalProperties["methodUsabilityReason"]
                        }

                        '#microsoft.graph.passwordlessMicrosoftAuthenticatorAuthenticationMethod' {
                            $MethodAuthType     = 'Passwordless'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }

                        '#microsoft.graph.softwareOathAuthenticationMethod' {
                            $MethodAuthType     = 'SoftwareOath'
                            $AdditionalProperties = $Device.AdditionalProperties["displayName"]
                        }
                    }

                    [PSCustomObject]@{
                        UserPrincipalName      = $User
                        AuthenticationMethodId = $Device.Id
                        MethodType             = $MethodAuthType
                        AdditionalProperties   = $AdditionalProperties
                    }
                }

                if ($PSBoundParameters.ContainsKey('MethodType')) {
                    $DeviceOutput | Where-Object {$_.MethodType -in $MethodType}
                  } else {
                    $DeviceOutput
                }

            } catch {
                Write-Error $_.Exception.Message

            } finally {
                $DeviceList           = $null
                $MethodAuthType       = $null
                $AdditionalProperties = $null

            }
        }
    }

    END {}

}

Script Examples

Get-MsGraphAuthenticationMethod -UserId pcontreras@thesysadminchannel.com, buzz@thesysadminchannel.com

Get MFA Methods using MSGraph API and PowerShell SDK

Display all authentication methods for both Paul and Buzz


 

Get-MsGraphAuthenticationMethod -UserId pcontreras@thesysadminchannel.com, buzz@thesysadminchannel.com -MethodType AuthenticatorApp, TemporaryAccessPass

Get MFA Methods using MSGraph API and PowerShell SDK

Display only AuthenticatorApp and Temporary Access Pass method types

Conclusion

Hopefully this script to Get MFA Methods using MSGraph API and PowerShell SDK would be useful to replace the legacy method of querying MSOnline to get the user’s strong auth methods. Since this utilizes Microsoft Graph and REST APIs in the backend, it can work extremely fast with PowerShell 7 and Foreach-Object -Parallel.
 

I use this on a regular basis to see if a user has MFA enabled on their account. The only downside so far is that it does not show the default method type, but I’m sure that’s somewhere down the pipeline.
 

If you liked this script and wanted to get more exposure to Graph API, I’ve just recently created the subreddit https://reddit.com/r/graphapi for folks to who want to learn and ask questions. I’m also going to be posting all my conversion scripts from the Azure AD module to GraphAPI so be sure check in time to time on our Graph API category posts

The post Get MFA Methods using MSGraph API and PowerShell SDK appeared first on the Sysadmin Channel.

]]> https://thesysadminchannel.com/get-mfa-methods-using-msgraph-api-and-powershell-sdk/feed/ 12 3806