π§ New: User Management Graph PowerShell Toolkit
Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more β all from one place.
π Launch ToolkitGet-MgReportAuthenticationMethodUserRegistrationDetail
The Get-MgReportAuthenticationMethodUserRegistrationDetail cmdlet from Microsoft Graph PowerShell allows administrators to retrieve a comprehensive report of user authentication methods related details such as MFA registration status, SSPR (Self-Service Password Reset) capabilities, passwordless capabilities, and more. This is an essential tool for tracking identity protection compliance across the tenant.
Cmdlet Syntax
Get-MgReportAuthenticationMethodUserRegistrationDetail [-All] [-Top <Int32>] [-Filter <String>] [-ConsistencyLevel <String>] [-CountVariable <String>] [<CommonParameters>]π Important: This cmdlet requires Microsoft.Graph.Reports module and appropriate Graph permissions (Reports.Read.All).
Usage Examples
- Get the full report of all usersβ registration details
- List only users who have MFA registered
- Find users who are both SSPR Capable and SSPR Enabled
Get-MgReportAuthenticationMethodUserRegistrationDetail -All
This fetches all user entries and their MFA, SSPR, and passwordless registration info.
Get-MgReportAuthenticationMethodUserRegistrationDetail -All |
Where-Object { $_.IsMfaRegistered -eq $true } |
Select-Object UserPrincipalName, IsMfaRegistered
Filters for users where IsMfaRegistered is True to audit MFA adoption.
Get-MgReportAuthenticationMethodUserRegistrationDetail -All |
Where-Object { $_.IsSsprCapable -and $_.IsSsprEnabled } |
Select-Object UserPrincipalName, IsSsprCapable, IsSsprEnabled
Useful for checking self-service password reset readiness.
Cmdlet Tips
- Use -All to retrieve the entire tenantβs data.
- Combine with Export-Csv to generate compliance reports.
- No date filter is supported β this returns the current registration status (last 30 days) snapshot.
Understanding Report Properties
Each user object returned includes the following flags:
| Property | Meaning |
| IsAdmin | Indicates if the user is an Administrator or not. |
| IsMfaCapable | Whether the user can register for MFA (e.g., has a phone number set). |
| IsMfaRegistered | Whether the user has registered at least one MFA method. |
| IsPasswordlessCapable | Whether passwordless authentication is supported (e.g., FIDO2). |
| IsSsprCapable | Whether the user meets the requirements to enable SSPR. |
| IsSsprEnabled | Whether the user has enabled SSPR for their account. |
Use Cases
- β Audit MFA adoption across departments.
- π Identify non-compliant accounts lacking MFA or SSPR setup.
- π Generate compliance reports for internal audits or external reviews.
- π‘οΈ Promote security best practice by identifying users not using passwordless methods.
Possible Errors & Solutions
| Error | Cause | Fix |
| Authorization_RequestDenied | Insufficient permissions | Ensure Reports.Read.All is granted and admin-consented |
| Partial data returned | Only top 100 records get returned by default. | Use -All to ensure full dataset before filtering |
| Module not found | Missing module | Run Install-Module Microsoft.Graph.Reports to install it |
Conclusion
The Get-MgReportAuthenticationMethodUserRegistrationDetail cmdlet is a powerful ally in securing your Microsoft 365 environment. It allows you to audit MFA, SSPR, and passwordless registration at scale, ensuring your users are aligned with modern security protocols. Pair this cmdlet with CSV exports or filters to tailor reports for compliance and technical remediation teams.