Forum Discussion

StevenRPF's avatar
StevenRPF
Brass Contributor
Mar 28, 2023

Get MFAStatus with API

Hi,   I'm trying to get a report for the MFA status for all my tenant users. # Replace the values in the following variables with your own $clientId = "your_client_id_here" $clientSecret = "your_...
api
AzureAD PowerShell Module
Calling Graph API
developer
VasilMichev's avatar
VasilMichev
MVP
Mar 29, 2023
Might be. Which permissions did you add, and did you grant admin consent?
StevenRPF's avatar
StevenRPF
Brass Contributor
Mar 29, 2023
yes I grand admin consent ... and I grand all permission specified above :

UserAuthenticationMethod.Read.All or UserAuthenticationMethod.ReadWrite.All (for Microsoft Graph API v1.0) OR AuthenticationMethod.Read.All or AuthenticationMethod.ReadWrite.All (for Microsoft Graph API beta)
User.Read.All or User.ReadWrite.All (for Microsoft Graph API v1.0) OR Directory.Read.All or Directory.ReadWrite.All (for Microsoft Graph API beta)

Can I check some log in Azure Admin Center or other way to check if my request are accepted? To be sur client ID password are ok?

Is this normal I got nothing when I past in the token decoder?

Thanks again
  • VasilMichev's avatar
    VasilMichev
    MVP
    Mar 29, 2023
    You can check the $tokenResponse variable, should contain the server response.
    • VasilMichev's avatar
      VasilMichev
      MVP
      Mar 29, 2023

      Or you know what, just use this code instead:

       

      #Variables to configure
$tenantID = "tenant.onmicrosoft.com" #your tenantID or tenant root domain
$appID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" #the GUID of your app
$client_secret = "verylongsecurestring" #client secret for the app

#Prepare token request
$url = 'https://login.microsoftonline.com/' + $tenantId + '/oauth2/v2.0/token'

$body = @{
    grant_type = "client_credentials"
    client_id = $appID
    client_secret = $client_secret
    scope = "https://graph.microsoft.com/.default"
}

#Obtain the token
Write-Verbose "Authenticating..."
try { $tokenRequest = Invoke-WebRequest -Method Post -Uri $url -ContentType "application/x-www-form-urlencoded" -Body $body -UseBasicParsing -ErrorAction Stop }
catch { Write-Host "Unable to obtain access token, aborting..."; return }

$token = ($tokenRequest.Content | ConvertFrom-Json).access_token

$authHeader = @{
   'Content-Type'='application\json'
   'Authorization'="Bearer $token"
}
#endregion Authentication

      It should actually throw an error if anything goes wrong. To check the result, use either $token or $authHeader.

      • StevenRPF's avatar
        StevenRPF
        Brass Contributor
        Mar 29, 2023

        VasilMichev 

        Ok! My token variable have something in it.

        Then I assume that this part is working ... After that, I retry this part of the code 

        $tokenResponse = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $tokenBody
$accessToken = $tokenResponse.access_token

# Retrieve all users in the tenant
$users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer $accessToken"}

# Loop through each user and retrieve their MFA status
foreach ($user in $users.value) {
    $userId = $user.id
    $mfaStatus = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userId/authentication/Methods" -Headers @{Authorization = "Bearer $accessToken"}
    $mfaEnabled = $mfaStatus.value | Where-Object {$_.state -eq "enabled"}

    Write-Output "$($user.displayName) - MFA Enabled: $($mfaEnabled -ne $null)"
}

        and I got this error : 

        Invoke-RestMethod : Le serveur distant a retourné une erreur : (403) Interdit.
Au caractère Ligne:5 : 10
+ $users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft. ...
+          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation : (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

        Thanks again to help me, that's really appreciate ... by the way, if you have another way to achieve my goal, I'm open! 🙂

         

Resources