Recently I wrote about reporting on individual Azure AD Users Authentication Methods using Microsoft Graph and PowerShell. Whilst this is great at a user level, Azure AD Authentication Methods Summary Reports at an organization level are often requested by IT Management. And whilst they can be obtained from the Azure Portal (Azure Active Directory > Security > Authentication Methods > Activity) how can we get them programmatically? In this post l will show how to extract Azure AD Authentication Methods Summary Reports using Microsoft Graph and PowerShell.
Microsoft’s Authentication Methods Activity documentation shows what Azure AD Authentication Methods Summary Reports contain. The authentication methods usage reports provide visibility of how users in your organization use Azure Active Directory features such as Multi-Factor Authentication, Self-Service Password Reset and Passwordless authentication.
The example script in this post utilizes an additional PowerShell Module to simplify the process. You will require:
An Azure AD Tenant that is licensed for Azure AD Premium P1 or P2 in order to access usage and insights.
You will need to register an Azure AD Application with Delegated Permissions for the Reports.Read.All scope. The registered application will need to be authorized (Admin consent) for the tenant. The script will require the registered Application (client) ID and Directory (tenant) ID from the Overview page of the registered application.
When running the script for the first time it will initiate the DeviceCode flow (where you will go to https://microsoft.com/devicelogin and enter the code provided on the console output) and then sign-in with an Azure AD Account that must be a member of one of the following roles.
Finally on the Authentication tab of your registered Azure AD Application you will need to enable “Allow public client flows” as shown below.
The script contains 5 functions. As mentioned above there is a function that leverages the MSAL.PS PowerShell Module to simplify authentication to Microsoft Graph. The DelegatedAuthN function takes the -clientID and -tenantID parameters. The ClientID is from the AAD registered application. The tenantID parameter is the objectID of the Azure AD Tenant where the application is registered.
The GetAADUsersAuthRegisteredByMethod function returns the summary of Azure AD Users’ Authentication registration methods.
The GetAADUsersAuthRegisteredByFeature function returns the summary of Azure AD Users’ Authentication registrations by feature.
The GetAADUsersCredentialUserRegistrationCount function returns the summary of Azure AD Users’ Registration Count by methods.
The GetAADUsersCredentialUsageSummary function returns the summary of Azure AD Users’ Credential method usage for Reset and Registration events.
Here are examples of the output from each of the functions above.
$AuthRegisteredByMethod = GetAADUsersAuthRegisteredByMethod $AuthRegisteredByMethod.userRegistrationMethodCounts
$AuthRegisteredByFeature = GetAADUsersAuthRegisteredByFeature $AuthRegisteredByFeature$AuthRegisteredByFeature.userRegistrationFeatureCounts
$CredentialUserRegistrationCount = GetAADUsersCredentialUserRegistrationCount $CredentialUserRegistrationCount $CredentialUserRegistrationCount.userRegistrationCounts
$CredentialUsageSummary = GetAADUsersCredentialUsageSummary -period '30' $CredentialUsageSummary
For each authentication method an object is returned for Reset and Registration events. Here is an example of the Reset use of the mobileSMS method. Note that GetAADUsersCredentialUsageSummary takes the -period parameter for the period (days) you are requesting a summary for. Valid options are 1, 7 and 30.
Below is the script with the functions to return the Azure AD Authentication Methods Summary Reports data.
The script is parameterized. Make the following updates with your configuration information;
As mentioned above line 194 of the script only needs to be executed once (per user pofile on a local machine). It will output the following to the PowerShell console. Copy the URL to a browser and then use the one time code and then authenticate with an account for the Tenant associated with the TenantID and ClientID used that also has the permissions listed in the Prerequisites section.
Enter the Code from the console output above
Sign in with an account with the required permissions
If you’ve given the correct parameters with the appropriate access you will be successful in obtaining an Access Token with the necessary permissions.
It is awesome to see these features now in Microsoft Graph. Authentication Methods and their visibility was a shortcoming of Microsoft Graph for a long time.
The example script here can be extended to take the output and generate your own Microsoft Excel reports and charts (potentially inspired by what is available in the Azure Portal) using the ImportExcel PowerShell module that I showed in this recent post Getting Microsoft 365 Individual User Usage Reports with PowerShell.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
View Comments