List FIDO2 Keys and AAGUID for all Users with Microsoft Graph

List FIDO2 Keys and AAGUID for all Users with Microsoft Graph

Hi All,

While looking into Enable passkeys in Microsoft Authenticator (preview) i figured, it is a good Idea tho have a List of FIDO2 AAGUID’s of all Users if enabled.

This Article shows you how to Export the FIDO2 Keys and the AAGUID of all Users in a M365 Tenant.

During my research i also found some AAGUID Lists on the Internet

Here you can see a registered FIDO2 Key in the M365 Security Info

Let’s get that Information with PowerShell and the Microsoft.Graph PowerShell

Connect with Microsoft Graph

Connect-MgGraph -Scopes User.Read.All, UserAuthenticationMethod.Read.All -NoWelcome

You need to be Global Admin to Grant Admin consent

Let’s list the FIDO2 Key of the User we have seen in the first Screenshot. You can see the AAGUID, Creation Time, Model and AsstetationLevel.

Get-MgUserAuthenticationFido2Method -UserId | fl

But we need to get that for all Users, so we need all Users

$EntraUsers = Get-MgUser -All
$EntraUsersCount = $EntraUsers.Count
Write-Host "Users found: $EntraUsersCount" 

Loop through the Users ad add the FIDO2 Keys to a PSCustom Object and finally to a List

#Create ListObject
$FIDO2List = [System.Collections.Generic.List[object]]::new()

#Loop through Users
$INT = 0
Foreach ($EntraUser in $EntraUsers)
	$INT = $INT + 1
	$UPN = $entraUser.UserPrincipalName
	Write-Host "Working on: $UPN [$INT/$EntraUsersCount]" -ForegroundColor Green
	$Fido2Methods = Get-MgUserAuthenticationFido2Method -UserId $UPN
	#If FidoMethods found
	If ($Null -ne $Fido2Methods)
		Write-Host "FIDO2 found" -ForegroundColor Cyan
		Foreach ($Fido2Method in $Fido2Methods)
			$FIDOObject = [PSCustomObject]@{
			UserPrincipalName 	= $UPN
			AAGUID				= $Fido2Method.AAGUID
			Model				= $Fido2Method.Model
			AttestationLevel	= $Fido2Method.AttestationLevel
			#Add to ListObject

Show the List Object

#Show Fido Authentication Methods

And export it to a CSV

#Export to CSV
$FIDO2List | Export-CSV -Path C:\Temp\Fido2List.csv -Encoding UTF8 -NoTypeInformation

And this is the CSV Export

The Script has also been published to my GitHub Repo

Just list the AAGUID

There is also another Method from Jan Bakker Prepare for passkeys in Entra ID!

Connect-MgGraph -Scope AuditLog.Read.All,UserAuthenticationMethod.Read.All
((Get-MgReportAuthenticationMethodUserRegistrationDetail -Filter "methodsRegistered/any(i:i eq 'passKeyDeviceBound')" -All).Id | ForEach-Object { Get-MgUserAuthenticationFido2Method -UserId $_ -All }).AaGuid | Select-Object -Unique

Andres Bohren

EntraID Logo

PowerShell Logo

Security Logo