Get-MsolUser for StrongAuthenticationUserDetails are different results that Get-AzureADUser

[JBHorne]

In our environment, the "mobile" field for AzureAD is only populated if the user has a corporate device. Personal mobile numbers are not within this field as this can be seen by all. Instead, our users populate their mobile number and personal email address from within SSPR. We can see this by running:
Get-MsolUser -EnabledFilter EnabledOnly -All | Select UserPrincipalName, DisplayName, MobilePhone, AlternateEmailAddresses, AlternateMobilePhones -ExpandProperty StrongAuthenticationUserDetails

The article above appears to make feature parity with the following command:
Get-AzureADUser | select DisplayName,UserPrincipalName,otherMails,Mobile,TelephoneNumber | Format-Table

However these are very different data sets. The above is reading private data from the MSOL attribute where as the latter is reading the public email address and mobile.

With MSOnline modules being deprecated (you cannot use these within Azure Automation for example ), this means that we need feature parity for reading the StrongAuthenticationUserDetails with the Get-AzureADUser cmdlet.

Moreover, the article is simply incorrect that these are one in the same.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: aae83fda-27b9-edca-1b59-1140de4cc3f5
• Version Independent ID: c93eb84b-f04b-de03-f3f5-57d4672b0559
• Content: Azure AD SSPR data requirements - Azure Active Directory
• Content Source: articles/active-directory/authentication/howto-sspr-authenticationdata.md
• Service: active-directory
• Sub-service: authentication
• GitHub Login: @iainfoulds
• Microsoft Alias: iainfou

[JBHorne]

Reference articles:
Azure/azure-docs-powershell-azuread#246
#5648
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33487279-pre-provision-mfa-strongauthenticationuserdetails

[BharathNimmala-MSFT]

@JBHorne Thank you for your valuable feedback, our team will further look into and get back to you at the earliest.

[iainfoulds]

Sorry for the delay on this. The engineering work team has acknowledged there isn't feature parity in areas like this, and are also leaning towards the Microsoft Graph API to directly query information as needed. At this time, there's no ETA on those updates being available. Doc updates will be made once there are updates from engineering to share. For now, #please-close

[JBHorne]

I'm not sure why this was closed. The article is still incorrect.

[LRSFC-DanJ]

We are also seeing this issue at my workplace. There appears to be no way to access or update the Authentication Phone or Authentication Email properties of an Azure AD user using the AzureAD v2 PowerShell module.

We also checked through Graph Explorer but could not see those properties represented in Microsoft Graph either.

[JasonRBeer]

I was reading through this article and came here to post essentially this same issue. This really shouldn't be closed. The article should be updated.

Someone who doesn't have a good understanding of PowerShell or Azure AD could easily add a bunch of mobile numbers thinking they would only be used for SSPR. In reality they would be seen by all of the org. This could be a major problem in some organizations.

[lbgo]

Still waiting on this.

[LRSFC-DanJ]

There is actually a method in MS Graph beta now to create the authenticationPhone.
See https://docs.microsoft.com/en-us/graph/api/authentication-post-phonemethods?view=graph-rest-beta&tabs=http
This did not exist previously.