Comments on: Per-User MFA State Added to Tenant Passwords and MFA Report

By: Tony Redmond

Tony Redmond — Wed, 19 Jun 2024 15:11:35 +0000

In reply to Cezary Koelner. I did some tinkering. Try V1.3 of the script (now available from GitHub). There's now a PrivacyFlag parameter. If set to False (the default), you get full details of MFA authentication methods. If true, you get the output as seen in V1.2.

By: Tony Redmond

Tony Redmond — Wed, 19 Jun 2024 09:20:20 +0000

In reply to Cezary Koelner.

There’s an API available to report authentication methods configured for accounts. I have a script that illustrates how to use the API in https://office365itpros.com/2022/10/07/authentication-methods-scripts/. It would be easy to take the code from that and insert it into the MFA report script to output authentication methods.

By: Cezary Koelner

Cezary Koelner — Wed, 19 Jun 2024 06:47:07 +0000

Dear Tony,
Could you add more information in the results for Authentication types, such as phone number, email address assigned in the user’s MFA ?

By: eriksrocha

eriksrocha — Sun, 16 Jun 2024 14:27:02 +0000

In reply to Tony Redmond. That permission was missing. Thank you, Tony!

By: Tony Redmond

Tony Redmond — Sat, 15 Jun 2024 12:53:37 +0000

In reply to koelnercezary. Run Connect-MgGraph with the scopes stated in the script and it will ask you to consent for any permissions it doesn't already have. If you are signed in with an admin account, you can grant consent. Connect-MgGraph -NoWelcome -Scopes AuditLog.Read.All, Directory.Read.All, UserAuthenticationMethod.Read.All, Policy.ReadWrite.AuthenticationMethod

By: Tony Redmond

Tony Redmond — Sat, 15 Jun 2024 12:51:36 +0000

In reply to C K. Reading the per-user MFA state requires consent to use the Policy.ReadWrite.AuthenticationMethod application permission. You don't have the permission and that's why you get a 403 Forbidden.

By: koelnercezary

koelnercezary — Sat, 15 Jun 2024 11:37:34 +0000

In reply to Tony Redmond. Hello Tony, Could you please tell where to add this permission ?

By: C K

C K — Sat, 15 Jun 2024 11:30:02 +0000

Hello Tony,
thanks for the script!
I’m trying to use it using PowerShell ISE.

The script executes with the following error at each user, and the report generates with no information in the ” Per user MFA state” column

Error is:
Invoke-MgGraphRequest : GET https://graph.microsoft.com/beta/users/831add8a-c129-47f7-860d-e7bc20425514/authentication/requirements
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 7a19ba1b-582c-4459-9b0d-675a567c5237
client-request-id: b22995e8-ed97-4296-b100-b4a786b6ec2e
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”Poland Central”,”Slice”:”E”,”Ring”:”2″,”ScaleUnit”:”001″,”RoleInstance”:”WA2PEPF00000385″}}
Date: Sat, 15 Jun 2024 11:16:11 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”accessDenied”,”message”:”Request Authorization failed”,”innerError”:{“message”:”Request Authorization failed”,”date”:”2024-06-15T11:16:11″,”request-id”:”7a19ba1b-582c-4459-9b0d-675a567c5
237″,”client-request-id”:”b22995e8-ed97-4296-b100-b4a786b6ec2e”}}}
At line:104 char:13
+ $Data = Invoke-MgGraphRequest -Uri $Uri -Method Get
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: GET, Re…b4a786b6ec2e
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest

Am I missing any permission?
Could you help me verify which one and where to grant it ?

Thank you very much!

By: Tony Redmond

Tony Redmond — Sat, 15 Jun 2024 00:02:02 +0000

In reply to Erik da Silva Rocha. 403 Forbidden means that your session doesn't have the right permission to execute the command, Do yuu have consent for Policy.ReadWrite.AuthenticationMethod?

By: Erik da Silva Rocha

Erik da Silva Rocha — Fri, 14 Jun 2024 21:38:37 +0000

Hey, Tony!

I couldn’t use the “Update” method through partner permission, do you know why?

https://learn.microsoft.com/en-us/graph/api/authentication-update?view=graph-rest-beta&tabs=powershell#example-2-update-a-users-mfa-state

I receive this error bellow:

Invoke-WebRequest -Uri “https://graph.microsoft.com/beta/users/$($MgUser.Id)/authentication/requirements” -Headers $authHeader -Method Patch -Body $Body -UseBasicParsing

Invoke-WebRequest : The remote server returned an error: (403) Forbidden.
At line:22 char:13
+ $Response = Invoke-WebRequest -Uri “https://graph.microsoft.com/beta/ …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

By: Tony Redmond

Tony Redmond — Fri, 14 Jun 2024 15:14:33 +0000

In reply to johndemillion.

There is only a https://graphpermissions.merill.net/permission/Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.AuthenticationMethod permission. There isn’t one restricted to read.

By: johndemillion

johndemillion — Fri, 14 Jun 2024 14:43:33 +0000

Thanks Vasil, that’s awesome! I noticed that you mentioned that the “Policy.ReadWrite.AuthenticationMethod” was required for the PATCH request, but I found that it was required for the GET request as well. With only the previous permissions that I had in place for other operations (UserAuthenticationMethod.Read.All and User.Read.All), I was getting Access Denied errors. Unlike the UserAuthenticationMethod and User domains, which have both .Read and .ReadWrite permissions, I didn’t see separate .Read permission for the Policy domain, so it seems like you must have the Policy.ReadWrite.AuthenticationMethod permission even if you only intend to use GET.

I wondered why the permissions structure was different for this operation, based inside the “Policy” domain rather than the existing “UserAuthenticationMethod” domain. Is Microsoft changing how these permissions are structured?

By: Tony Redmond

Tony Redmond — Fri, 14 Jun 2024 12:21:11 +0000

In reply to Vasil Michev. Thanks Vasil... I updated the text to show how to update the per-user MFA state for an account.

By: Vasil Michev

Vasil Michev — Fri, 14 Jun 2024 11:23:37 +0000

In reply to John. You can set it already, the endpoint supports PATCH requests as well (you'd need Policy.ReadWrite.AuthenticationMethod scope).

By: John

John — Fri, 14 Jun 2024 10:49:51 +0000

Woohoo!! Thanks for highlighting this, Tony! I’ve been having to painfully and slowly retrieve per-user MFAStatus via a PHP call to a Windows server running PowerShell (!) for the last couple of years, but this finally properly exposes MFAStatus through the Graph API. I would have had no idea that MS finally got it together and released this new method without your post.

Now if they’ll just let me *set* the Per-User MFA Status through the API, I can shut down that Windows PowerShell kludge permanently.