How to Retrieve a list of authentication methods registered to a user via API call.

CHANDAN CHOLENAHALLI 0 Reputation points
2023-03-16T18:58:56.4466667+00:00

I am trying to Retrieve a list of authentication methods registered to a user or get authentication methods available for users or get users with their registered authentication methods. I tried to do regular http query as below that works for other information retrieval like Azure Role assignments, Group members, Directory Roles etc.. but the below call to get a users authentication method per this Microsoft doc does not seem to work even when a user with Global Admin powers tries

az rest --method get --url "https://graph.microsoft.com/beta/users/user@xyz.com/authentication/methods"

also tried

az rest --method get --url "https://graph.microsoft.com/beta/me/authentication/methods/{id}

and powershell commands refered here

he gets below error (he is GA) i get same as regular user

Forbidden({"error":{"code":"accessDenied","message":"Request Authorization failed","innerError":{"message":"Request Authorization failed","date":"2023-03-16T18:45:46","request-id":"xyz","client-request-id":"{xyz}"}}})

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,670 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,844 questions
Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Siddharth Gautam 855 Reputation points
    2023-03-16T23:49:26.8233333+00:00

    Hello CHANDAN CHOLENAHALLI,

    Thanks for posting!

    I was able to replicate the error message when I tried to Read users' authentication methods after consenting UserAuthenticationMethod.Read delegated permission using below Graph Endpoint:

    GET /users/{id | userPrincipalName}/authentication/methods

    Please note that to Read users' authentication methods, you need to consent UserAuthenticationMethod.Read.All permission (delegated-least privileged). One of the following permissions is required to call This API.

    • permission acting on self (Supports only delegated permissions).
    • permission acting on other users (Supports both delegated and application permissions).

    Note - For delegated scenarios where an admin is acting on another user, the admin needs one of the following Azure AD roles:

    • Global administrator
    • Global reader
    • Privileged authentication administrator
    • Authentication administrator (only sees masked phone numbers)

    Refer below links for better understanding:

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

    0 comments No comments