New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New command: List authentication methods registered for users #5773
Comments
Nice suggestion @MartinM85, I've a few pointers we should discuss before delving into it.
|
@Jwaegebaert Spec. updated. Not sure about the second point
It can be real use-case to filter by more than one value. By for me it's ok allow only one value. Right now, I'm not sure about the separator for the |
@Jwaegebaert I've removed |
@Jwaegebaert @milanholemans Any other thoughts? |
In the list of examples, I find it confusing that some examples say For bool options, let's consider if we can make them into flags to make them easier to use. For example
or
Let's consider this design for all other bool options that you proposed. |
@waldekmastykarz All bool options have three states true/false/not specified. I will update the descriptions for those options. If the endpoint allow multiple values for the options |
Right, but the command is not retrieving users. It's retrieving their auth methods, right? So the filters apply to users, but in the end, you get auth methods.
Are we passing the specified values as-is to the API or are we considering them an OR filter? Ideally, let's clarify this with descriptions/remarks/examples so that users won't have to wonder/guess how the command works. |
The OR filter will be applied when multiple values for the options userPreferredMethodForSecondaryAuthentication, systemPreferredAuthenticationMethods, and registeredMethods are set. I will add remark to the spec and to the doc. |
Okaj, I think the specs are clear enough now. So let's ship it 😄 |
Usage
m365 entra user registrationdetails list
Description
Retrieves a list of the authentication methods registered for users.
Options
--isAdmin [isAdmin]
true
orfalse
. If not specified, returns all users.--userType [userType]
member
orguest
. If not specified, returns all users.--userPreferredMethodForSecondaryAuthentication [userPreferredMethodForSecondaryAuthentication]
push
,oath
,voiceMobile
,voiceAlternateMobile
,voiceOffice
,sms
ornone
. Specify either one method or more methods separated by a comma.--systemPreferredAuthenticationMethods [systemPreferredAuthenticationMethods]
push
,oath
,voiceMobile
,voiceAlternateMobile
,voiceOffice
,sms
ornone
. Specify either one method or more methods separated by a comma.--isSelfServicePasswordResetRegistered [isSelfServicePasswordResetRegistered]
true
orfalse
. If not specified, returns all users.--isSelfServicePasswordResetEnabled [isSelfServicePasswordResetEnabled]
true
orfalse
. If not specified, returns all users.--isSelfServicePasswordResetCapable [isSelfServicePasswordResetCapable]
true
orfalse
. If not specified, returns all users.--isMfaRegistered [isMfaRegistered]
true
orfalse
. If not specified, returns all users.--isMfaCapable [isMfaCapable]
true
orfalse
. If not specified, returns all users.--isPasswordlessCapable [isPasswordlessCapable]
true
orfalse
. If not specified, returns all users.--isSystemPreferredAuthenticationMethodEnabled [isSystemPreferredAuthenticationMethodEnabled]
true
orfalse
. If not specified, returns all users.--methodsRegistered [methodsRegistered]
mobilePhone
,email
,fido2
,microsoftAuthenticatorPush
orsoftwareOneTimePasscode
. Specify either one method or more methods separated by a comma.--userIds [userIds]
--userPrincipalNames [userPrincipalNames]
-p, --properties [properties]
Examples
Retrieve registration details for all users
Retrieve user registration details and returns only specific properties
m365 entra user registrationdetails list --properties 'id,isAdmin'
Retrieve registration details for admins
m365 entra user registrationdetails list --isAdmin true
Retrieve registration details for guest users
Retrieve registration details for users who selected push authentication method as the default second-factor for performing multifactor authentication
Retrieve registration details for users who selected either sms or push authentication method as the default second-factor for performing multifactor authentication
Retrieve registration details for users with push authentication method as the most secure authentication method among the registered methods for second factor authentication determined by the system
Retrieve registration details for users with either sms or push authentication method as the most secure authentication methods among the registered methods for second factor authentication determined by the system
Retrieve registration details for users who have used Microsoft Authenticator app during registration
Retrieve registration details for users who have used either Microsoft Authenticator app or mobile phone during registration
Retrieve registration details for users who are not registered for multi-factor authentication
m365 entra user registrationdetails list --isMfaRegistered false
Retrieve registration details for users specified by id
m365 entra user registrationdetails list --userIds '121bca22-1a6b-455b-9e5d-64c5ef5e471d,fec200ce-a7a9-42cd-9717-3a3179a99b72'
Retrieve registration details for users specified by user principal names
m365 entra user registrationdetails list --userPrincipalNames 'AdeleV@contoso.com,johndoe@contoso.com'
Default properties
Additional Info
It is quite useful report at least for administrators.
API: https://learn.microsoft.com/en-us/graph/api/authenticationmethodsroot-list-userregistrationdetails?view=graph-rest-1.0&tabs=http
The same report is in the Entra admin center
Filtering by
userPrincipalNames
anduserDisplayNames
is supported by default by the endpoint. WhenuserIds
option is specified, the command will finduserPrincipalNames
first.The endpoint requires
AuditLog.Read.All
permission.Add remark to the documentation about the behavior when multiple values for the options
userPreferredMethodForSecondaryAuthentication
,systemPreferredAuthenticationMethods
, andregisteredMethods
are set.When multiple values are specified for
userPreferredMethodForSecondaryAuthentication
option, the command returns registration details with at least one specified selected method as default second-factor authentication.When multiple values are specified for
systemPreferredAuthenticationMethods
option, the command returns registration details with at least one specified most secure authentication methods registered for second-factor authentication.When multiple values are specified for
registeredMethods
option, the command returns registration details with at least one specified registered methods used during registration.I will work on it.
The text was updated successfully, but these errors were encountered: