Forum Discussion
Get MFAStatus with API
Hi, I'm trying to get a report for the MFA status for all my tenant users. # Replace the values in the following variables with your own
$clientId = "your_client_id_here"
$clientSecret = "your_...
Ok! My token variable have something in it.
Then I assume that this part is working ... After that, I retry this part of the code
$tokenResponse = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $tokenBody
$accessToken = $tokenResponse.access_token
# Retrieve all users in the tenant
$users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer $accessToken"}
# Loop through each user and retrieve their MFA status
foreach ($user in $users.value) {
$userId = $user.id
$mfaStatus = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userId/authentication/Methods" -Headers @{Authorization = "Bearer $accessToken"}
$mfaEnabled = $mfaStatus.value | Where-Object {$_.state -eq "enabled"}
Write-Output "$($user.displayName) - MFA Enabled: $($mfaEnabled -ne $null)"
}and I got this error :
Invoke-RestMethod : Le serveur distant a retourné une erreur : (403) Interdit.
Au caractère Ligne:5 : 10
+ $users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation : (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommandThanks again to help me, that's really appreciate ... by the way, if you have another way to achieve my goal, I'm open! 🙂
"Something" doesn't mean it has the right stuff in it 🙂 Use this:
$token | clip
then paste it over at jwt.ms to parse the token.
As for another way, the easiest one is to use the Graph explorer tool (https://developer.microsoft.com/en-us/graph/graph-explorer) and in particular this report: https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails
You will likely have to consent to additional permissions, but that's all done in-tool, via the Modify Permissions tab.
$token | clip
then paste it over at jwt.ms to parse the token.
As for another way, the easiest one is to use the Graph explorer tool (https://developer.microsoft.com/en-us/graph/graph-explorer) and in particular this report: https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails
You will likely have to consent to additional permissions, but that's all done in-tool, via the Modify Permissions tab.