Introduction:
I was recently working on the rollout of a passwordless authentication solution in Microsoft Entra ID, which included Windows Hello for Business and Passkeys (FIDO2 security keys).
As part of that rollout, one of the requirements was to identify all users and their registered authentication methods — things like MFA, Self-Service Password Reset (SSPR), and passwordless capability.
While the Entra admin portal provides a view of this information under Authentication methods, however if you are looking for a way to export the data directly to a CSV file using PowerShell makes it much easier to process in Excel, Power BI, or any reporting tool.
I recently wrote a blog post on getting this same data into Power BI: Automating Entra ID User Registration Insights with Microsoft Graph API and Power BI – Complete Guide
In this post, we’ll focus on exporting the authentication method registration details to a CSV file using PowerShell.
For this script, I’m using the Microsoft Graph beta endpoint instead of v1.0
because the defaultMfaMethod
property — which is very useful for understanding users’ preferred MFA setup — is only available in beta at the time of writing this blog post.
Prerequisites:
Before running the script, make sure you have:
- Global Administrator or Report Reader or delegated permissions role in Microsoft Entra ID.
- Microsoft Graph PowerShell SDK module installed — the script below will automatically attempt to install it if missing.
- AuditLog.Read.All Graph API permission (delegated) — this will be requested during the login prompt.
The PowerShell Script:
The following script will:
- Check if the Microsoft.Graph module is installed; if not, attempt to install it.
- Connect to Microsoft Graph using delegated permissions.
- Query the beta endpoint for all users’ authentication registration details (with pagination).
- Save the results to a CSV file in the script’s current directory
Script output:
Download the PowerShell script from Github repository and try it.
If you need a script to run in unattended using ClientID and secret, download the powershell script from Github location and try it.
Let me know your feedback in the comments section.