Edit

Share via


Get-EntraAuthenticationMethodUserRegistrationDetailReport

List the user's registered authentication methods.

Syntax

GetQuery (Default)

Get-EntraAuthenticationMethodUserRegistrationDetailReport

    [-Top <Int32>]
    [-All]
    [-Filter <String>]
    [-Sort <String>]
    [-Property <String[]>]
    [<CommonParameters>]

GetById

Get-EntraAuthenticationMethodUserRegistrationDetailReport

    -UserRegistrationDetailsId <String>
    [-Property <String[]>]
    [<CommonParameters>]

Description

The Get-EntraAuthenticationMethodUserRegistrationDetailReport cmdlet lists the user's registered authentication methods from the userRegistrationDetails object. This method doesn't work for disabled accounts (user accounts).

In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation:

  • Reports Reader
  • Security Reader
  • Security Administrator
  • Global Reader

Parameters

-All

List all pages.

Parameter properties

Type:System.Management.Automation.SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False

Parameter sets

GetQuery
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Filter

Specifies an OData v4.0 filter statement. This parameter filters which objects are returned.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

GetQuery
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Property

Specifies properties to be returned.

Parameter properties

Type:

System.String[]

Default value:None
Supports wildcards:False
DontShow:False
Aliases:Select

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Sort

This parameter sorts the results by property.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:SortBy, OrderBy

Parameter sets

GetQuery
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Top

Specifies the maximum number of records to return.

Parameter properties

Type:System.Int32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Limit

Parameter sets

GetQuery
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-UserRegistrationDetailsId

Specifies the user object identifier in Microsoft Entra ID.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Id

Parameter sets

GetById
Position:Named
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:True
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Outputs

isAdmin (Boolean)

Shows whether the user has an admin role in the tenant. Use it to check which authentication methods privileged accounts register and use.

isMfaCapable (Boolean)

Indicates that the user uses a strong MFA method allowed by the authentication methods policy. Supports $filter (eq).

isMfaRegistered (Boolean)

Indicates whether the user registers a strong MFA method, even if the authentication methods policy doesn't allow it. Supports $filter (eq).

isPasswordlessCapable (Boolean)

Shows if the user registers a passwordless strong authentication method—like FIDO2, Windows Hello for Business, or Microsoft Authenticator—that the policy allows. Supports $filter (eq).

isSsprCapable (Boolean)

Shows if the user has registered enough methods and is allowed to use self-service password reset based on policy. Supports $filter (eq).

isSsprEnabled (Boolean)

Shows if the user is allowed to use self-service password reset by policy, even if they haven’t registered enough authentication methods. Supports $filter (eq).

isSsprRegistered (Boolean)

Shows if the user registers enough authentication methods for self-service password reset, even if the policy doesn't allow them to use it. Supports $filter (eq).

isSystemPreferredAuthenticationMethodEnabled (Boolean)

Shows if system-preferred authentication is on. When enabled, the system selects the most secure method from the ones the user registers. Supports $filter (eq).

lastUpdatedDateTime (DateTimeOffset)

The date and time (in UTC) when the report was last updated, in ISO 8601 format. For example, midnight UTC on Jan 1, 2014 is shown as 2014-01-01T00:00:00Z.

methodsRegistered (String collection)

List of registered authentication methods, like mobilePhone, email, or passKeyDeviceBound. Supports $filter with any and eq.

systemPreferredAuthenticationMethods (String collection)

List of the most secure second-factor authentication methods chosen by the system from the user's registered methods. Values include: push, oath, voiceMobile, voiceAlternateMobile, voiceOffice, sms, none. Supports $filter with any and eq.

userDisplayName (String)

The user's display name, like "Sawyer Miller." Supports $filter (eq, startsWith) and $orderby.

userPreferredMethodForSecondaryAuthentication (userDefaultAuthenticationMethod)

The user's chosen default method for second-factor authentication. Options include: push, oath, voiceMobile, voiceAlternateMobile, voiceOffice, sms, none. Used as the preferred MFA method when system-preferred authentication is off. Supports $filter with any and eq.

userPrincipalName (String)

The user's sign-in name, like SawyerM@contoso.com. Supports $filter (eq, startsWith) and $orderby.

userType (signInUserType)

Shows if the user is a member or guest in the tenant. Values: member, guest.

Notes

Get-EntraAuthMethodUserRegistrationDetailReport is an alias for Get-EntraAuthenticationMethodUserRegistrationDetailReport.