Report Microsoft Authenticator Registration in Entra ID with Graph PowerShell

Andres Bohren
Report Microsoft Authenticator Registration in Entra ID with Graph PowerShell

Hi All,

I am working with a customer on a M365 Onboarding. Bevore migrating Users to the Cloud, we want to make sure the Onboarding of the Microsoft Authenticator App is successful. I was tasked to figure out a way to find out the Users that have registered the Microsoft Authenticator App for MFA Authentication.

Enduser Portal

From a User Perspective you can see in the Security Information that there are registered two Microsoft Authenticators.

Entra Portal

In the Entra Portal you can see the same information on the “Authentications methods” Menu.

Note that on both portals, you can see just some sort of Name for the Microsoft Authenticator.

PowerShell and Graph

I figured out i can use the Get-MgUserAuthenticationMethod command from the Microsoft.Graph PowerShell Modules.

Note that this can be used only with delegated Permissions and not with Application Permissions.

Let’s get the this information from the User

Connect-MgGraph -Scopes UserAuthenticationMethod.Read.All -NoWelcome
$AuthMethods = Get-MgUserAuthenticationMethod -UserId "m.muster@icewolf.ch"
[array]$Authenticator = $AuthMethods | where {$_.AdditionalProperties."@odata.type" -eq "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"}
$Authenticator | fl

The Information can be found under AdditionalProperties

#Details of first item in Array
$Authenticator[0].AdditionalProperties

List both Microsoft Authenticator “displayNames”

#Loop Through Array
Foreach ($Item in $Authenticator)
{
    $DisplayName = $Item.AdditionalProperties.displayName
    Write-Host "DisplayName: $DisplayName"
}

Let’s check the same thing with another user (Security Info from End User)

Entra Portal

Let’s get the same information in PowerShell

$AuthMethods = Get-MgUserAuthenticationMethod -UserId "e.muster@icewolf.ch"
[array]$Authenticator = $AuthMethods | where {$_.AdditionalProperties."@odata.type" -eq "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"}
$Authenticator | fl

#Details of first item in Array
$Authenticator[0].AdditionalProperties

#Loop Through Array
Foreach ($Item in $Authenticator)
{
    $DisplayName = $Item.AdditionalProperties.displayName
    Write-Host "DisplayName: $DisplayName"
}

Check a bunch of users

Now we have the base of our script and we need to check a Bunch of users.

I’ve created a Collection of UPN,s but it would be easy to use the Import-CSV commandlet, to process a list of Users.

#Create Collection of UPN
$UPNCollection = [System.Collections.Generic.List[string]]::new()
$UPNCollection.Add("m.muster@icewolf.ch")
$UPNCollection.Add("e.muster@icewolf.ch")
$UPNCollection.Add("postmaster@icewolf.ch")
$UPNCollection.Add("a.bohren@icewolf.ch")

#Loop through UPN
Foreach ($UPN in $UPNCollection)
{
    $AuthMethods = Get-MgUserAuthenticationMethod -UserId $UPN
    [array]$Authenticator = $AuthMethods | where {$_.AdditionalProperties."@odata.type" -eq "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"}
    if ($Null -eq $Authenticator)
    {
        Write-Host "$UPN > NO MFA" -ForegroundColor Cyan
    } else {
        Write-Host "$UPN > MFA found" -ForegroundColor Green
    }
}

Summary

I’ve explained, how to check if a User has registered Microsoft Authenticator with the Microsoft.Graph Modules. Hope this helps, if someone has a similar Task.

Regards
Andres Bohren

EntraID Logo

PowerShell Logo