Closed MartinM85 closed 4 months ago
Nice suggestion @MartinM85, I've a few pointers we should discuss before delving into it.
userregistrationdetails
to registrationdetails
as we're aware that it'll be registration details about the user object because you're already using m365 entra user
.userPrefferedMethodForSecondaryAuthentication
, systemPreferredAuthenticationMethods
, and registeredMethods
? Allowed values
instead of Possible values
.Specify either
, it refers to options that are required for executing the command. As these are optional, let's make it more clear that these are optional. I think for userIds
, userPrincipalNames
, and userDisplayNames
it's already clear what it does so doesn't require the Specify either
anymore.registeredMethods
should be methodsRegistered
@Jwaegebaert Spec. updated.
Not sure about the second point
Wouldn't we make it overly complex if we allow multiple values for the options userPrefferedMethodForSecondaryAuthentication , systemPreferredAuthenticationMethods, and registeredMethods
It can be real use-case to filter by more than one value. By for me it's ok allow only one value.
Right now, I'm not sure about the separator for the userDisplayNames
option. In my tenant, display names are without the comma, but I've already seen user display name like Doe, John
. Maybe get rid off the userDisplayNames
option.
@Jwaegebaert I've removed userDisplayNames
option.
@Jwaegebaert @milanholemans Any other thoughts?
In the list of examples, I find it confusing that some examples say Retrieve registration details
and other Retrieve users
. Let's make them consistent.
For bool options, let's consider if we can make them into flags to make them easier to use. For example isAdmin
: should it have two or three states?
--isAdmin true
- returns only users who are admin--isAdmin false
- returns only users who aren't adminor
--isAdmin
- returns only users who are adminLet's consider this design for all other bool options that you proposed.
@waldekmastykarz All bool options have three states true/false/not specified. I will update the descriptions for those options.
Those two examples say Retrieve users
, because the filters are applied on registered methods to find out which users meet the conditions. In other examples, you filter users to get their authentication methods.
If the endpoint allow multiple values for the options userPreferredMethodForSecondaryAuthentication
, systemPreferredAuthenticationMethods
, and registeredMethods
why to make a restriction for only one value?
Those two examples say
Retrieve users
, because the filters are applied on registered methods to find out which users meet the conditions. In other examples, you filter users to get their authentication methods.
Right, but the command is not retrieving users. It's retrieving their auth methods, right? So the filters apply to users, but in the end, you get auth methods.
If the endpoint allow multiple values for the options
userPreferredMethodForSecondaryAuthentication
,systemPreferredAuthenticationMethods
, andregisteredMethods
why to make a restriction for only one value?
Are we passing the specified values as-is to the API or are we considering them an OR filter? Ideally, let's clarify this with descriptions/remarks/examples so that users won't have to wonder/guess how the command works.
The OR filter will be applied when multiple values for the options userPreferredMethodForSecondaryAuthentication, systemPreferredAuthenticationMethods, and registeredMethods are set. I will add remark to the spec and to the doc.
Okaj, I think the specs are clear enough now. So let's ship it 😄
Usage
m365 entra user registrationdetails list
Description
Retrieves a list of the authentication methods registered for users.
Options
--isAdmin [isAdmin]
true
orfalse
. If not specified, returns all users.--userType [userType]
member
orguest
. If not specified, returns all users.--userPreferredMethodForSecondaryAuthentication [userPreferredMethodForSecondaryAuthentication]
push
,oath
,voiceMobile
,voiceAlternateMobile
,voiceOffice
,sms
ornone
. Specify either one method or more methods separated by a comma.--systemPreferredAuthenticationMethods [systemPreferredAuthenticationMethods]
push
,oath
,voiceMobile
,voiceAlternateMobile
,voiceOffice
,sms
ornone
. Specify either one method or more methods separated by a comma.--isSelfServicePasswordResetRegistered [isSelfServicePasswordResetRegistered]
true
orfalse
. If not specified, returns all users.--isSelfServicePasswordResetEnabled [isSelfServicePasswordResetEnabled]
true
orfalse
. If not specified, returns all users.--isSelfServicePasswordResetCapable [isSelfServicePasswordResetCapable]
true
orfalse
. If not specified, returns all users.--isMfaRegistered [isMfaRegistered]
true
orfalse
. If not specified, returns all users.--isMfaCapable [isMfaCapable]
true
orfalse
. If not specified, returns all users.--isPasswordlessCapable [isPasswordlessCapable]
true
orfalse
. If not specified, returns all users.--isSystemPreferredAuthenticationMethodEnabled [isSystemPreferredAuthenticationMethodEnabled]
true
orfalse
. If not specified, returns all users.--methodsRegistered [methodsRegistered]
mobilePhone
,email
,fido2
,microsoftAuthenticatorPush
orsoftwareOneTimePasscode
. Specify either one method or more methods separated by a comma.--userIds [userIds]
--userPrincipalNames [userPrincipalNames]
-p, --properties [properties]
Examples
Retrieve registration details for all users
Retrieve user registration details and returns only specific properties
Retrieve registration details for admins
Retrieve registration details for guest users
Retrieve registration details for users who selected push authentication method as the default second-factor for performing multifactor authentication
Retrieve registration details for users who selected either sms or push authentication method as the default second-factor for performing multifactor authentication
Retrieve registration details for users with push authentication method as the most secure authentication method among the registered methods for second factor authentication determined by the system
Retrieve registration details for users with either sms or push authentication method as the most secure authentication methods among the registered methods for second factor authentication determined by the system
Retrieve registration details for users who have used Microsoft Authenticator app during registration
Retrieve registration details for users who have used either Microsoft Authenticator app or mobile phone during registration
Retrieve registration details for users who are not registered for multi-factor authentication
Retrieve registration details for users specified by id
Retrieve registration details for users specified by user principal names
Default properties
Additional Info
It is quite useful report at least for administrators.
API: https://learn.microsoft.com/en-us/graph/api/authenticationmethodsroot-list-userregistrationdetails?view=graph-rest-1.0&tabs=http
The same report is in the Entra admin center
Filtering by
userPrincipalNames
anduserDisplayNames
is supported by default by the endpoint. WhenuserIds
option is specified, the command will finduserPrincipalNames
first.The endpoint requires
AuditLog.Read.All
permission.Add remark to the documentation about the behavior when multiple values for the options
userPreferredMethodForSecondaryAuthentication
,systemPreferredAuthenticationMethods
, andregisteredMethods
are set.When multiple values are specified for
userPreferredMethodForSecondaryAuthentication
option, the command returns registration details with at least one specified selected method as default second-factor authentication.When multiple values are specified for
systemPreferredAuthenticationMethods
option, the command returns registration details with at least one specified most secure authentication methods registered for second-factor authentication.When multiple values are specified for
registeredMethods
option, the command returns registration details with at least one specified registered methods used during registration.I will work on it.