SSPR via powershell?


Hey all,

I'm wondering if there is a location with commands to access info regarding SSPR in AAD via powershell.  Specifically I'm trying to find out if a user has registered and set up their security questions.  The reports in the web GUI only go back one month, but i'd like a) a running tally of how many users have registered, and b) the ability to determine if an individual has completed registration.  There doesn't seem to be a place to do that in the gui, and i cannot find any SSPR specific powershell commands for the msonline module. Can anyone shed any light?

3 Replies

I am on the exact situation... I was able to create user, unifiedgroup, manage the membership, set the password and rules via PowerShell. but when I try to test the account, now SSPR is blocking the streamline of automation... I was hoping to see either PowerShell method to import predefined SSPR answers (e.g. Phone number, Questions and Answers) via CSV file or method to exempt them from SSPR for special account cases via UnifiedGroup or normal Security Group membership (or per individual user account...)

I have recently made a riport about the sspr via powershell. I had the userprincipal names in a txt file.

$path = "path of txt"
$Users = Get-Content $path
foreach ($User in $Users)
Get-MsolUser -UserPrincipalName $User.ToLower() | select DisplayName, PhoneNumber, Email| Export-Csv –Append -Force -Path "C:\Users\dmeszaros\Desktop\AzureAD\userprincipal_v4.csv" -NoTypeInformation

Get-MsolUser -UserPrincipalName $User.ToLower() | select -Expand StrongAuthenticationUserDetails | select DisplayName, PhoneNumber, Email | Export-Csv –Append -Force -Path "the path to save" -NoTypeInformation


The first is for initialize the columns in the csv and for the displayname to know the whom the authentication info belongs to because the next command wont get it so that gets the data from the authentication box.

For those who didn't registered, there won't be a second line so that they didn't registered.

Hope it helps.



StrongAuth does NOT mean the user has registered for SSPR. It only means a user has one or more StrongAuth fields set like Phone Number.

Just setting any of these fields without ever going through the SSPR registration process will still tag them as StrongAuth.