Get-EntraAuthenticationMethodUserRegistrationDetailReport
List the user's registered authentication methods.
Syntax
Get-EntraAuthenticationMethodUserRegistrationDetailReport
[-Top <Int32>]
[-All]
[-Filter <String>]
[-Sort <String>]
[-Property <String[]>]
[<CommonParameters>] Get-EntraAuthenticationMethodUserRegistrationDetailReport
-UserRegistrationDetailsId <String>
[-Property <String[]>]
[<CommonParameters>] Description
The Get-EntraAuthenticationMethodUserRegistrationDetailReport cmdlet lists the user's registered authentication methods from the userRegistrationDetails object. This method doesn't work for disabled accounts (user accounts).
In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation:
- Reports Reader
- Security Reader
- Security Administrator
- Global Reader
Examples
Example 1: Get all user's registered authentication methods
Connect-Entra -Scopes 'AuditLog.Read.All'
Get-EntraAuthenticationMethodUserRegistrationDetailReport -All | Format-Table -AutoSize
Id IsAdmin IsMfaCapable IsMfaRegistered IsPasswordlessCapable IsSsprCapable
-- ------- ------------ --------------- --------------------- -------------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True False False False True
bbbbbbbb-1111-2222-3333-cccccccccccc False False False False False
cccccccc-2222-3333-4444-dddddddddddd False False False False False
dddddddd-3333-4444-5555-eeeeeeeeeeee False False False False FalseThis example demonstrates how to retrieve all the user's registered authentication methods.
Example 2: Get user's registered authentication methods by UserRegistrationDetailsId
Connect-Entra -Scopes 'AuditLog.Read.All'
Get-EntraAuthenticationMethodUserRegistrationDetailReport -UserRegistrationDetailsId 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb' | Format-Table -AutoSize
isMfaRegistered : False
@odata.context : https://graph.microsoft.com/v1.0/$metadata#reports/authenticationMethods/userRegistrationDetails(*)/$entity
userPrincipalName : [email protected]
isSystemPreferredAuthenticationMethodEnabled : True
id : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
isSsprRegistered : False
isSsprEnabled : False
userDisplayName : Sawyer Miller
lastUpdatedDateTime : 3/16/2025 7:55:54 AM
userType : member
isAdmin : False
methodsRegistered : {}
systemPreferredAuthenticationMethods : {}
userPreferredMethodForSecondaryAuthentication : none
isPasswordlessCapable : False
isSsprCapable : False
isMfaCapable : FalseThis example shows how to retrieve a specific user's registered authentication methods by UserRegistrationDetailsId.
-UserRegistrationDetailsIdparameter specifies the user's registered authentication methods.
Example 3: Get user's registered authentication methods with filtering
Connect-Entra -Scopes 'AuditLog.Read.All'
Get-EntraAuthenticationMethodUserRegistrationDetailReport -Filter "userType eq 'member'" | Format-Table -AutoSize
Id IsAdmin IsMfaCapable IsMfaRegistered IsPasswordlessCapable IsSsprCapable
-- ------- ------------ --------------- --------------------- -------------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True False False False True
bbbbbbbb-1111-2222-3333-cccccccccccc False False False False False
cccccccc-2222-3333-4444-dddddddddddd False False False False False
dddddddd-3333-4444-5555-eeeeeeeeeeee False False False False FalseThis example demonstrates how to retrieve a user's registered authentication methods with filtering userType property.
Example 4: Retrieve user's registered authentication methods properties
Connect-Entra -Scopes 'AuditLog.Read.All'
Get-EntraAuthenticationMethodUserRegistrationDetailReport -Property id, userDisplayName, userType, isMfaRegistered, isPasswordlessCapable | Format-Table -AutoSize
Id UserDisplayName UserType IsMfaRegistered IsPasswordlessCapable
-- --------------- -------- ---------------- ---------------------
cccccccc-2222-3333-4444-dddddddddddd Angel Brown member True False
dddddddd-3333-4444-5555-eeeeeeeeeeee Alex Wilber member False False
eeeeeeee-4444-5555-6666-ffffffffffff Avery Smith member False False
bbbbbbbb-1111-2222-3333-cccccccccccc Christie Cline member False False
aaaaaaaa-bbbb-cccc-1111-222222222222 Patti Fernandez member False FalseThis example demonstrates how to retrieve a user's registered authentication methods. You can use -Select as an alias for -Property.
Example 5: Get a list of recently updated user's registered authentication methods details using 'sort'
Connect-Entra -Scopes 'AuditLog.Read.All'
Get-EntraAuthenticationMethodUserRegistrationDetailReport -All -Sort 'lastUpdatedDateTime desc' -Limit 4 | Format-Table -AutoSize
Id IsAdmin IsMfaCapable IsMfaRegistered IsPasswordlessCapable IsSsprCapable
-- ------- ------------ --------------- --------------------- -------------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True False False False TrueThis example shows how to get one detail about the user's registered authentication methods. You can use -OrderBy or -SortBy as an alias for -Sort.
Example 6: Get a single result
Connect-Entra -Scopes 'AuditLog.Read.All'
Get-EntraAuthenticationMethodUserRegistrationDetailReport -Top 1 | Format-Table -AutoSize
Id IsAdmin IsMfaCapable IsMfaRegistered IsPasswordlessCapable IsSsprCapable
-- ------- ------------ --------------- --------------------- -------------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True False False False TrueThis example shows how to get one detail about the user's registered authentication methods. You can use -Limit as an alias for -Top.
Parameters
-All
List all pages.
| Type: | System.Management.Automation.SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Filter
Specifies an OData v4.0 filter statement. This parameter filters which objects are returned.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Property
Specifies properties to be returned.
| Type: | System.String[] |
| Aliases: | Select |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Sort
This parameter sorts the results by property.
| Type: | System.String |
| Aliases: | SortBy, OrderBy |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Top
Specifies the maximum number of records to return.
| Type: | System.Int32 |
| Aliases: | Limit |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-UserRegistrationDetailsId
Specifies the user object identifier in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | Id |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Outputs
isAdmin (Boolean)
Shows whether the user has an admin role in the tenant. Use it to check which authentication methods privileged accounts register and use.
isMfaCapable (Boolean)
Indicates that the user uses a strong MFA method allowed by the authentication methods policy. Supports $filter (eq).
isMfaRegistered (Boolean)
Indicates whether the user registers a strong MFA method, even if the authentication methods policy doesn't allow it. Supports $filter (eq).
isPasswordlessCapable (Boolean)
Shows if the user registers a passwordless strong authentication method—like FIDO2, Windows Hello for Business, or Microsoft Authenticator—that the policy allows. Supports $filter (eq).
isSsprCapable (Boolean)
Shows if the user has registered enough methods and is allowed to use self-service password reset based on policy. Supports $filter (eq).
isSsprEnabled (Boolean)
Shows if the user is allowed to use self-service password reset by policy, even if they haven’t registered enough authentication methods. Supports $filter (eq).
isSsprRegistered (Boolean)
Shows if the user registers enough authentication methods for self-service password reset, even if the policy doesn't allow them to use it. Supports $filter (eq).
isSystemPreferredAuthenticationMethodEnabled (Boolean)
Shows if system-preferred authentication is on. When enabled, the system selects the most secure method from the ones the user registers. Supports $filter (eq).
lastUpdatedDateTime (DateTimeOffset)
The date and time (in UTC) when the report was last updated, in ISO 8601 format. For example, midnight UTC on Jan 1, 2014 is shown as 2014-01-01T00:00:00Z.
methodsRegistered (String collection)
List of registered authentication methods, like mobilePhone, email, or passKeyDeviceBound. Supports $filter with any and eq.
systemPreferredAuthenticationMethods (String collection)
List of the most secure second-factor authentication methods chosen by the system from the user's registered methods. Values include: push, oath, voiceMobile, voiceAlternateMobile, voiceOffice, sms, none. Supports $filter with any and eq.
userDisplayName (String)
The user's display name, like "Sawyer Miller." Supports $filter (eq, startsWith) and $orderby.
userPreferredMethodForSecondaryAuthentication (userDefaultAuthenticationMethod)
The user's chosen default method for second-factor authentication. Options include: push, oath, voiceMobile, voiceAlternateMobile, voiceOffice, sms, none. Used as the preferred MFA method when system-preferred authentication is off. Supports $filter with any and eq.
userPrincipalName (String)
The user's sign-in name, like [email protected]. Supports $filter (eq, startsWith) and $orderby.
userType (signInUserType)
Shows if the user is a member or guest in the tenant. Values: member, guest.
Notes
Get-EntraAuthMethodUserRegistrationDetailReport is an alias for Get-EntraAuthenticationMethodUserRegistrationDetailReport.