cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Home

Discovering Strong Authentication methods

%3CLINGO-SUB%20id%3D%22lingo-sub-895514%22%20slang%3D%22en-US%22%3EDiscovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895514%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20be%20able%20to%20detect%20whether%20users%20have%20signed%20up%20for%20Strong%20Authentication%20methods%20ahead%20of%20them%20coming%20in%20scope%20for%20Conditional%20Access%20based%20MFA%2C%20ideally%20via%20an%20API%20that%20one%20of%20our%20systems%20can%20call.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20the%20current%20APIs%20that%20look%20like%20they%20offer%20MFA%20info%20do%20so%20for%20the%20user%20based%20MFA.%20The%20only%20way%20I%20can%20see%20to%20get%20the%20info%20is%20via%20the%20Get-MSOLUser%20cmdlet.%20Does%20anyone%20know%20an%20API%20based%20way%20of%20doing%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGraph%20API%20for%20User%20-%20doesn't%20expose%20it%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGraph%20API%20for%26nbsp%3B%3CSPAN%3E%2Freports%2FcredentialUserRegistrationDetails%20-%20this%20is%20user%20based%20MFA%20and%20the%20values%20don't%20change%20at%20all%20regardless%20of%20what%20is%20set%20for%20strong%20auth%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGet-AzureAD%20cmdlet%20%26nbsp%3B-%20doesn't%20expose%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGet-MSOLUser%20-%20exposes%20the%20information%20I%20need.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20tried%20using%20Fiddler%20on%20the%20GetMSOLUser%20but%20it%20is%20using%20an%20old%20SOAP%20based%20web%20service%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fprovisioningapi.microsoftonline.com%2Fprovisioningwebservice.svc%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprovisioningapi.microsoftonline.com%2Fprovisioningwebservice.svc%3C%2FA%3E.%20and%20the%20payloads%20look%20complicated%20and%20not%20easily%20hand%20cranked.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAnyone%20got%20any%20ideas%20or%20know%20of%20another%20way%20to%20detect%20if%20the%20user%20has%20Strong%20Authentication%20methods%20set%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-895514%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20info%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-895752%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895752%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20report%20exposes%20them%20just%20fine%2C%20but%20as%20all%20other%20reports%20it's%20not%20in%20real-time.%20Other%20than%20that%2C%20for%20the%20time%20being%20your%20only%20option%20is%20to%20use%20the%20MSOL%20module.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-896426%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-896426%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BAre%20you%20aware%20of%20any%20way%20to%20test%20conditional%20Access%20rules%20on%20b%20behalf%20of%20a%20user%20in%20a%20particular%20user%3F%20i.e.%20call%20an%20API%20which%20says%20I%20am%20Fred%20Bloggs%20on%20a%20mobile%20device%20on%20this%20IP%20running%20this%20app%20-%20pass%20or%20fail%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-897228%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-897228%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20use%20the%20WhatIf%20tool%2C%20but%20I'm%20not%20sure%20there's%20a%20way%20to%20call%20that%20programmatically.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-898704%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-898704%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20-%20but%20having%20looked%20thew%20WhatIf%20tool%20just%20says%20which%20CA%20rules%20would%20apply%2C%20so%20although%20one%20of%20the%20rules%20might%20well%20insist%20on%20MFA%2C%20it%20wouldn't%20tell%20you%20if%20the%20user%20has%20already%20selected%20Strong%20Authentication%20methods%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-899806%22%20slang%3D%22en-US%22%3ERe%3A%20Discovering%20Strong%20Authentication%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-899806%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20you%20mean%20here%2C%20the%20whatif%20tool%20is%20designed%20exactly%20for%20that%20purpose%20-%20to%20tell%20you%20which%20CA%20rules%20might%20fire%20on%20a%20given%20login%20attempt.%20It%20doesn't%20care%20whether%20the%20user%20has%20already%20filled%20in%20his%20methods.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Mark Wilson
Mark Wilson
Contributor

‎10-06-2019 04:33 AM

‎10-06-2019 04:33 AM

Discovering Strong Authentication methods

I want to be able to detect whether users have signed up for Strong Authentication methods ahead of them coming in scope for Conditional Access based MFA, ideally via an API that one of our systems can call.

 

All the current APIs that look like they offer MFA info do so for the user based MFA. The only way I can see to get the info is via the Get-MSOLUser cmdlet. Does anyone know an API based way of doing this?

 

Graph API for User - doesn't expose it

 

Graph API for /reports/credentialUserRegistrationDetails - this is user based MFA and the values don't change at all regardless of what is set for strong auth

 

Get-AzureAD cmdlet  - doesn't expose

 

Get-MSOLUser - exposes the information I need.

 

I tried using Fiddler on the GetMSOLUser but it is using an old SOAP based web service at https://provisioningapi.microsoftonline.com/provisioningwebservice.svc. and the payloads look complicated and not easily hand cranked.

 

Anyone got any ideas or know of another way to detect if the user has Strong Authentication methods set?

200 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎10-06-2019 09:52 AM

‎10-06-2019 09:52 AM

Re: Discovering Strong Authentication methods

The report exposes them just fine, but as all other reports it's not in real-time. Other than that, for the time being your only option is to use the MSOL module.

0 Likes
Reply
Highlighted
Mark Wilson

‎10-07-2019 02:12 AM

‎10-07-2019 02:12 AM

Re: Discovering Strong Authentication methods

@Vasil Michev Are you aware of any way to test conditional Access rules on b behalf of a user in a particular user? i.e. call an API which says I am Fred Bloggs on a mobile device on this IP running this app - pass or fail?

 

0 Likes
Reply
Vasil Michev

‎10-07-2019 09:02 AM

‎10-07-2019 09:02 AM

Re: Discovering Strong Authentication methods

You can use the WhatIf tool, but I'm not sure there's a way to call that programmatically.

0 Likes
Reply
Mark Wilson

‎10-08-2019 01:39 AM

‎10-08-2019 01:39 AM

Re: Discovering Strong Authentication methods

Thanks - but having looked thew WhatIf tool just says which CA rules would apply, so although one of the rules might well insist on MFA, it wouldn't tell you if the user has already selected Strong Authentication methods?

0 Likes
Reply
Vasil Michev

‎10-08-2019 08:22 AM

‎10-08-2019 08:22 AM

Re: Discovering Strong Authentication methods

Not sure what you mean here, the whatif tool is designed exactly for that purpose - to tell you which CA rules might fire on a given login attempt. It doesn't care whether the user has already filled in his methods.

0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
What is Canary ring in Windows insider program? and how do we get them?
 HotCakeX in Windows Insider Program on 09-27-2019
9 Replies
The announcement regarding self-service purchase capabilities for Power Platform products??
 Kelly E in Office 365 on 10-21-2019
64 Replies
Extentions Synchronization
 Deleted in Discussions on 11-13-2019
3 Replies
Stable version of Edge insider browser
 HotCakeX in Discussions on 10-12-2019
35 Replies
flashing a white screen while open new tab
 Deleted in Discussions on 10-05-2019
14 Replies