I want to be able to detect whether users have signed up for Strong Authentication methods ahead of them coming in scope for Conditional Access based MFA, ideally via an API that one of our systems can call.
All the current APIs that look like they offer MFA info do so for the user based MFA. The only way I can see to get the info is via the Get-MSOLUser cmdlet. Does anyone know an API based way of doing this?
Graph API for User - doesn't expose it
Graph API for /reports/credentialUserRegistrationDetails - this is user based MFA and the values don't change at all regardless of what is set for strong auth
@Vasil Michev Are you aware of any way to test conditional Access rules on b behalf of a user in a particular user? i.e. call an API which says I am Fred Bloggs on a mobile device on this IP running this app - pass or fail?
Thanks - but having looked thew WhatIf tool just says which CA rules would apply, so although one of the rules might well insist on MFA, it wouldn't tell you if the user has already selected Strong Authentication methods?
Not sure what you mean here, the whatif tool is designed exactly for that purpose - to tell you which CA rules might fire on a given login attempt. It doesn't care whether the user has already filled in his methods.