m365Corner
Home / M365 PowerShell / Get-MgReportAuthenticationMethodUserRegistrationDetail
M365 PowerShell

Get-MgReportAuthenticationMethodUserRegistrationDetail

The Get-MgReportAuthenticationMethodUserRegistrationDetail cmdlet from Microsoft Graph PowerShell allows administrators to retrieve a comprehensive report of user authentication methods related details such as MFA registration status, SSPR (Self-Service Password Reset) capabilities, passwordless capabilities, and more. This is an essential tool for tracking identity protection compliance across the tenant.

Cmdlet Syntax

Get-MgReportAuthenticationMethodUserRegistrationDetail [-All] [-Top <Int32>] [-Filter <String>] [-ConsistencyLevel <String>] [-CountVariable <String>] [<CommonParameters>]

🔐 Important: This cmdlet requires Microsoft.Graph.Reports module and appropriate Graph permissions (Reports.Read.All).

Usage Examples

  1. Get the full report of all users’ registration details
    2. Get-MgReportAuthenticationMethodUserRegistrationDetail -All

    This fetches all user entries and their MFA, SSPR, and passwordless registration info.

  2. List only users who have MFA registered
    3. Get-MgReportAuthenticationMethodUserRegistrationDetail -All |
Where-Object { $_.IsMfaRegistered -eq $true } |
Select-Object UserPrincipalName, IsMfaRegistered

    Filters for users where IsMfaRegistered is True to audit MFA adoption.

  3. Find users who are both SSPR Capable and SSPR Enabled
    4. Get-MgReportAuthenticationMethodUserRegistrationDetail -All |
Where-Object { $_.IsSsprCapable -and $_.IsSsprEnabled } |
Select-Object UserPrincipalName, IsSsprCapable, IsSsprEnabled

    Useful for checking self-service password reset readiness.

  4. Find Admin Users Without MFA Registration
    5. 
Connect-MgGraph -Scopes "Reports.Read.All"
Get-MgReportAuthenticationMethodUserRegistrationDetail -All |
Where-Object {
    $_.IsAdmin -eq $true -and $_.IsMfaRegistered -eq $false
} |
Select-Object UserPrincipalName,
              UserDisplayName,
              IsAdmin,
              IsMfaCapable,
              IsMfaRegistered,
              IsSsprEnabled,
              IsPasswordlessCapable |
Export-Csv "C:\Reports\AdminsWithoutMFA.csv" -NoTypeInformation


    What this script does

    This script identifies admin users who have not registered MFA and exports the results to a CSV file.

    Why this example is useful

    Admin accounts are high-risk targets. This report helps security teams quickly find privileged users who still need to complete MFA registration.

Cmdlet Tips

  • Use -All to retrieve the entire tenant’s data.
  • Combine with Export-Csv to generate compliance reports.
  • No date filter is supported — this returns the current registration status (last 30 days) snapshot.

Understanding Report Properties

Each user object returned includes the following flags:

Property Meaning
IsAdmin Indicates if the user is an Administrator or not.
IsMfaCapable Whether the user can register for MFA (e.g., has a phone number set).
IsMfaRegistered Whether the user has registered at least one MFA method.
IsPasswordlessCapable Whether passwordless authentication is supported (e.g., FIDO2).
IsSsprCapable Whether the user meets the requirements to enable SSPR.
IsSsprEnabled Whether the user has enabled SSPR for their account.

Use Cases

  • ✅ Audit MFA adoption across departments.
  • 🔐 Identify non-compliant accounts lacking MFA or SSPR setup.
  • 📄 Generate compliance reports for internal audits or external reviews.
  • 🛡️ Promote security best practice by identifying users not using passwordless methods.

Frequently Asked Questions

  • What does Get-MgReportAuthenticationMethodUserRegistrationDetail do?

    • It retrieves user authentication registration details, including MFA registration, SSPR readiness, passwordless capability, and admin status.

  • What permission is required?

    • You need the Reports.Read.All Microsoft Graph permission.

    Connect-MgGraph -Scopes "Reports.Read.All"
  • Can I find users who have not registered MFA?

    • Yes. Filter users where IsMfaRegistered is $false.

    
Get-MgReportAuthenticationMethodUserRegistrationDetail -All |
Where-Object { $_.IsMfaRegistered -eq $false }
  • Can I export the authentication registration report?

    • Yes. Pipe the results to Export-Csv.

    
Get-MgReportAuthenticationMethodUserRegistrationDetail -All |
Export-Csv "C:\Reports\AuthMethodRegistration.csv" -NoTypeInformation
  • Does this cmdlet show current authentication registration status?

    • Yes. It shows the current authentication method registration state for users, making it useful for MFA and SSPR audit reports.

Possible Errors & Solutions

Error Cause Fix
Authorization_RequestDenied Insufficient permissions Ensure Reports.Read.All is granted and admin-consented
Partial data returned Only top 100 records get returned by default. Use -All to ensure full dataset before filtering
Module not found Missing module Run Install-Module Microsoft.Graph.Reports to install it

Conclusion

The Get-MgReportAuthenticationMethodUserRegistrationDetail cmdlet is a powerful ally in securing your Microsoft 365 environment. It allows you to audit MFA, SSPR, and passwordless registration at scale, ensuring your users are aligned with modern security protocols. Pair this cmdlet with CSV exports or filters to tailor reports for compliance and technical remediation teams.