Forum Discussion
Get MFAStatus with API
Hi, I'm trying to get a report for the MFA status for all my tenant users. # Replace the values in the following variables with your own
$clientId = "your_client_id_here"
$clientSecret = "your_...
Or you know what, just use this code instead:
#Variables to configure
$tenantID = "tenant.onmicrosoft.com" #your tenantID or tenant root domain
$appID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" #the GUID of your app
$client_secret = "verylongsecurestring" #client secret for the app
#Prepare token request
$url = 'https://login.microsoftonline.com/' + $tenantId + '/oauth2/v2.0/token'
$body = @{
grant_type = "client_credentials"
client_id = $appID
client_secret = $client_secret
scope = "https://graph.microsoft.com/.default"
}
#Obtain the token
Write-Verbose "Authenticating..."
try { $tokenRequest = Invoke-WebRequest -Method Post -Uri $url -ContentType "application/x-www-form-urlencoded" -Body $body -UseBasicParsing -ErrorAction Stop }
catch { Write-Host "Unable to obtain access token, aborting..."; return }
$token = ($tokenRequest.Content | ConvertFrom-Json).access_token
$authHeader = @{
'Content-Type'='application\json'
'Authorization'="Bearer $token"
}
#endregion AuthenticationIt should actually throw an error if anything goes wrong. To check the result, use either $token or $authHeader.
Ok! My token variable have something in it.
Then I assume that this part is working ... After that, I retry this part of the code
$tokenResponse = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $tokenBody
$accessToken = $tokenResponse.access_token
# Retrieve all users in the tenant
$users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer $accessToken"}
# Loop through each user and retrieve their MFA status
foreach ($user in $users.value) {
$userId = $user.id
$mfaStatus = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userId/authentication/Methods" -Headers @{Authorization = "Bearer $accessToken"}
$mfaEnabled = $mfaStatus.value | Where-Object {$_.state -eq "enabled"}
Write-Output "$($user.displayName) - MFA Enabled: $($mfaEnabled -ne $null)"
}and I got this error :
Invoke-RestMethod : Le serveur distant a retourné une erreur : (403) Interdit.
Au caractère Ligne:5 : 10
+ $users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation : (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommandThanks again to help me, that's really appreciate ... by the way, if you have another way to achieve my goal, I'm open! 🙂
- "Something" doesn't mean it has the right stuff in it 🙂 Use this:
$token | clip
then paste it over at jwt.ms to parse the token.
As for another way, the easiest one is to use the Graph explorer tool (https://developer.microsoft.com/en-us/graph/graph-explorer) and in particular this report: https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails
You will likely have to consent to additional permissions, but that's all done in-tool, via the Modify Permissions tab.