How to Retrieve a list of authentication methods registered to a user via API call.

CHANDAN CHOLENAHALLI 0 Reputation points
2023-03-16T18:58:56.4466667+00:00

I am trying to Retrieve a list of authentication methods registered to a user or get authentication methods available for users or get users with their registered authentication methods. I tried to do regular http query as below that works for other information retrieval like Azure Role assignments, Group members, Directory Roles etc.. but the below call to get a users authentication method per this Microsoft doc does not seem to work even when a user with Global Admin powers tries

az rest --method get --url "https://graph.microsoft.com/beta/users/user@xyz.com/authentication/methods"

also tried

az rest --method get --url "https://graph.microsoft.com/beta/me/authentication/methods/{id}

and powershell commands refered here

he gets below error (he is GA) i get same as regular user

Forbidden({"error":{"code":"accessDenied","message":"Request Authorization failed","innerError":{"message":"Request Authorization failed","date":"2023-03-16T18:45:46","request-id":"xyz","client-request-id":"{xyz}"}}})

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
2,922 questions
Microsoft Graph Users API
Microsoft Graph Users API
A Microsoft API that allows you to build compelling app experiences based on users, their relationships with other users and groups, and the resources they access for example their mails, calendars, files, administrative roles, group memberships.
653 questions
Microsoft Graph Identity API
Microsoft Graph Identity API
A Microsoft API to access Azure Active Directory (Azure AD) resources to enable scenarios like managing administrator (directory) roles, inviting external users to an organization, and, if you are a Cloud Solution Provider (CSP), managing your customer's data.
273 questions
Azure Active Directory Priviledged Identity Management
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SiddharthGautam-MSFT 855 Reputation points Microsoft Vendor
    2023-03-16T23:49:26.8233333+00:00

    Hello CHANDAN CHOLENAHALLI,

    Thanks for posting!

    I was able to replicate the error message when I tried to Read users' authentication methods after consenting UserAuthenticationMethod.Read delegated permission using below Graph Endpoint:

    GET /users/{id | userPrincipalName}/authentication/methods

    Please note that to Read users' authentication methods, you need to consent UserAuthenticationMethod.Read.All permission (delegated-least privileged). One of the following permissions is required to call This API.

    • permission acting on self (Supports only delegated permissions).
    • permission acting on other users (Supports both delegated and application permissions).

    Note - For delegated scenarios where an admin is acting on another user, the admin needs one of the following Azure AD roles:

    • Global administrator
    • Global reader
    • Privileged authentication administrator
    • Authentication administrator (only sees masked phone numbers)

    Refer below links for better understanding:

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.