Home

Discovering Strong Authentication methods

%3CLINGO-SUB%20id%3D%22lingo-sub-895514%22%20slang%3D%22en-US%22%3EDiscovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895514%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20be%20able%20to%20detect%20whether%20users%20have%20signed%20up%20for%20Strong%20Authentication%20methods%20ahead%20of%20them%20coming%20in%20scope%20for%20Conditional%20Access%20based%20MFA%2C%20ideally%20via%20an%20API%20that%20one%20of%20our%20systems%20can%20call.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20the%20current%20APIs%20that%20look%20like%20they%20offer%20MFA%20info%20do%20so%20for%20the%20user%20based%20MFA.%20The%20only%20way%20I%20can%20see%20to%20get%20the%20info%20is%20via%20the%20Get-MSOLUser%20cmdlet.%20Does%20anyone%20know%20an%20API%20based%20way%20of%20doing%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGraph%20API%20for%20User%20-%20doesn't%20expose%20it%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGraph%20API%20for%26nbsp%3B%3CSPAN%3E%2Freports%2FcredentialUserRegistrationDetails%20-%20this%20is%20user%20based%20MFA%20and%20the%20values%20don't%20change%20at%20all%20regardless%20of%20what%20is%20set%20for%20strong%20auth%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGet-AzureAD%20cmdlet%20%26nbsp%3B-%20doesn't%20expose%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGet-MSOLUser%20-%20exposes%20the%20information%20I%20need.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20tried%20using%20Fiddler%20on%20the%20GetMSOLUser%20but%20it%20is%20using%20an%20old%20SOAP%20based%20web%20service%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fprovisioningapi.microsoftonline.com%2Fprovisioningwebservice.svc%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprovisioningapi.microsoftonline.com%2Fprovisioningwebservice.svc%3C%2FA%3E.%20and%20the%20payloads%20look%20complicated%20and%20not%20easily%20hand%20cranked.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAnyone%20got%20any%20ideas%20or%20know%20of%20another%20way%20to%20detect%20if%20the%20user%20has%20Strong%20Authentication%20methods%20set%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-895514%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20info%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-895752%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895752%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20report%20exposes%20them%20just%20fine%2C%20but%20as%20all%20other%20reports%20it's%20not%20in%20real-time.%20Other%20than%20that%2C%20for%20the%20time%20being%20your%20only%20option%20is%20to%20use%20the%20MSOL%20module.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-896426%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-896426%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BAre%20you%20aware%20of%20any%20way%20to%20test%20conditional%20Access%20rules%20on%20b%20behalf%20of%20a%20user%20in%20a%20particular%20user%3F%20i.e.%20call%20an%20API%20which%20says%20I%20am%20Fred%20Bloggs%20on%20a%20mobile%20device%20on%20this%20IP%20running%20this%20app%20-%20pass%20or%20fail%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-897228%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-897228%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20use%20the%20WhatIf%20tool%2C%20but%20I'm%20not%20sure%20there's%20a%20way%20to%20call%20that%20programmatically.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-898704%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-898704%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20-%20but%20having%20looked%20thew%20WhatIf%20tool%20just%20says%20which%20CA%20rules%20would%20apply%2C%20so%20although%20one%20of%20the%20rules%20might%20well%20insist%20on%20MFA%2C%20it%20wouldn't%20tell%20you%20if%20the%20user%20has%20already%20selected%20Strong%20Authentication%20methods%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-899806%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-899806%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20you%20mean%20here%2C%20the%20whatif%20tool%20is%20designed%20exactly%20for%20that%20purpose%20-%20to%20tell%20you%20which%20CA%20rules%20might%20fire%20on%20a%20given%20login%20attempt.%20It%20doesn't%20care%20whether%20the%20user%20has%20already%20filled%20in%20his%20methods.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Mark Wilson
Contributor

I want to be able to detect whether users have signed up for Strong Authentication methods ahead of them coming in scope for Conditional Access based MFA, ideally via an API that one of our systems can call.

 

All the current APIs that look like they offer MFA info do so for the user based MFA. The only way I can see to get the info is via the Get-MSOLUser cmdlet. Does anyone know an API based way of doing this?

 

Graph API for User - doesn't expose it

 

Graph API for /reports/credentialUserRegistrationDetails - this is user based MFA and the values don't change at all regardless of what is set for strong auth

 

Get-AzureAD cmdlet  - doesn't expose

 

Get-MSOLUser - exposes the information I need.

 

I tried using Fiddler on the GetMSOLUser but it is using an old SOAP based web service at https://provisioningapi.microsoftonline.com/provisioningwebservice.svc. and the payloads look complicated and not easily hand cranked.

 

Anyone got any ideas or know of another way to detect if the user has Strong Authentication methods set?

5 Replies
Highlighted

The report exposes them just fine, but as all other reports it's not in real-time. Other than that, for the time being your only option is to use the MSOL module.

@Vasil Michev Are you aware of any way to test conditional Access rules on b behalf of a user in a particular user? i.e. call an API which says I am Fred Bloggs on a mobile device on this IP running this app - pass or fail?

 

You can use the WhatIf tool, but I'm not sure there's a way to call that programmatically.

Thanks - but having looked thew WhatIf tool just says which CA rules would apply, so although one of the rules might well insist on MFA, it wouldn't tell you if the user has already selected Strong Authentication methods?

Not sure what you mean here, the whatif tool is designed exactly for that purpose - to tell you which CA rules might fire on a given login attempt. It doesn't care whether the user has already filled in his methods.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies