10-06-2019 04:33 AM
10-06-2019 04:33 AM
I want to be able to detect whether users have signed up for Strong Authentication methods ahead of them coming in scope for Conditional Access based MFA, ideally via an API that one of our systems can call.
All the current APIs that look like they offer MFA info do so for the user based MFA. The only way I can see to get the info is via the Get-MSOLUser cmdlet. Does anyone know an API based way of doing this?
Graph API for User - doesn't expose it
Graph API for /reports/credentialUserRegistrationDetails - this is user based MFA and the values don't change at all regardless of what is set for strong auth
Get-AzureAD cmdlet - doesn't expose
Get-MSOLUser - exposes the information I need.
I tried using Fiddler on the GetMSOLUser but it is using an old SOAP based web service at https://provisioningapi.microsoftonline.com/provisioningwebservice.svc. and the payloads look complicated and not easily hand cranked.
Anyone got any ideas or know of another way to detect if the user has Strong Authentication methods set?
10-06-2019 09:52 AM
The report exposes them just fine, but as all other reports it's not in real-time. Other than that, for the time being your only option is to use the MSOL module.
10-08-2019 01:39 AM
Thanks - but having looked thew WhatIf tool just says which CA rules would apply, so although one of the rules might well insist on MFA, it wouldn't tell you if the user has already selected Strong Authentication methods?
10-08-2019 08:22 AM
Not sure what you mean here, the whatif tool is designed exactly for that purpose - to tell you which CA rules might fire on a given login attempt. It doesn't care whether the user has already filled in his methods.
by RippieUK on May 05, 2020
by KevinVanover on April 21, 2020
by JayBeeFinalBeta on April 14, 2020
by JBergqvist on April 03, 2020
by Sue Bohn on April 27, 2020
by Alex Weinert on March 12, 2020
by Alex Simons (AZURE) on March 04, 2020