UserAuthenticationMethod.Read.All
Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
| Ver |
Type |
Method |
| Beta |
A,D |
GET /me/authentication/emailMethods |
| Beta |
A,D |
GET /me/authentication/emailMethods/{id} |
| V1 |
A,D |
GET /me/authentication/fido2Methods |
| V1 |
A,D |
GET /me/authentication/fido2Methods/{id} |
| V1 |
A,D |
GET /me/authentication/methods |
| V1 |
A,D |
GET /me/authentication/methods/{id} |
| V1 |
A,D |
GET /me/authentication/microsoftAuthenticatorMethods |
| V1 |
A,D |
GET /me/authentication/microsoftAuthenticatorMethods/{microsoftAuthenticatorAuthenticationMethodId} |
| Beta |
A,D |
GET /me/authentication/passwordlessMicrosoftAuthenticatorMethods |
| Beta |
A,D |
GET /me/authentication/passwordlessMicrosoftAuthenticatorMethods/{id} |
| Beta |
A,D |
GET /me/authentication/passwordMethods |
| Beta |
A,D |
GET /me/authentication/passwordMethods/{id} |
| Beta |
A,D |
GET /me/authentication/phoneMethods |
| Beta |
A,D |
GET /me/authentication/phoneMethods/{phoneMethodId} |
| Beta |
A,D |
GET /me/authentication/softwareOathMethods |
| Beta |
A,D |
GET /me/authentication/softwareOathMethods/{id} |
| Beta |
A,D |
GET /me/authentication/temporaryAccessPassMethods |
| Beta |
A,D |
GET /me/authentication/temporaryAccessPassMethods/{temporaryAccessPassAuthenticationMethodId} |
| V1 |
A,D |
GET /me/authentication/windowsHelloForBusinessMethods |
| V1 |
A,D |
GET /me/authentication/windowsHelloForBusinessMethods/{windowsHelloForBusinessAuthenticationMethodId} |
| Beta |
A,D |
GET /reports/authenticationMethods/userRegistrationDetails |
| Beta |
A,D |
GET /reports/authenticationMethods/userRegistrationDetails/{userRegistrationDetailsId} |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/emailMethods |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/emailMethods/{id} |
| V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/fido2Methods |
| V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/fido2Methods/{id} |
| V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/methods |
| V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/methods/{id} |
| V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/microsoftAuthenticatorMethods |
| V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/microsoftAuthenticatorMethods/{microsoftAuthenticatorAuthenticationMethodId} |
| Beta |
D |
GET /users/{id | userPrincipalName}/authentication/operations/{id} |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/passwordlessMicrosoftAuthenticatorMethods |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/passwordlessMicrosoftAuthenticatorMethods/{id} |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/passwordMethods |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/passwordMethods/{id} |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/phoneMethods |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/softwareOathMethods |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/softwareOathMethods/{id} |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/temporaryAccessPassMethods |
| Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/temporaryAccessPassMethods/{temporaryAccessPassAuthenticationMethodId} |
| V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/windowsHelloForBusinessMethods |
| V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/windowsHelloForBusinessMethods/{windowsHelloForBusinessAuthenticationMethodId} |
| Beta |
A,D |
GET /users/{userId | userPrincipalName}/authentication/phoneMethods/{phoneMethodId} |
Delegate Permission
|
|
| Id |
aec28ec7-4d02-4e8c-b864-50163aea77eb |
| Consent Type |
Admin |
| Display String |
Read all users' authentication methods |
| Description |
Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. |
Application Permission
|
|
| Id |
38d9df27-64da-44fd-b7c5-a6fbac20248f |
| Display String |
Read all users' authentication methods |
| Description |
Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. |
Resources
| Property |
Type |
Description |
| id |
String |
The identifier of this instance of an authentication method registered to this user. Read-only. |
| Property |
Type |
Description |
| id |
String |
The identifier of the email address registered to this user. |
| emailAddress |
String |
The email address registered to this user. |
| Property |
Type |
Description |
| id |
String |
The authentication method identifier. |
| displayName |
String |
The display name of the key as given by the user. |
| createdDateTime |
DateTimeOffset |
The timestamp when this key was registered to the user. |
| aaGuid |
String |
Authenticator Attestation GUID, an identifier that indicates the type (e.g. make and model) of the authenticator. |
| model |
String |
The manufacturer-assigned model of the FIDO2 security key. |
| attestationCertificates |
String collection |
The attestation certificate(s) attached to this security key. |
| attestationLevel |
attestationLevel |
The attestation level of this FIDO2 security key. Possible values are: attested, or notAttested. |
| Property |
Type |
Description |
| createdDateTime |
DateTimeOffset |
The date and time that this app was registered. This property is null if the device is not registered for passwordless Phone Sign-In. |
| displayName |
String |
The name of the device on which this app is registered. |
| id |
String |
A unique identifier for this authentication method. Inherited from authenticationMethod |
| deviceTag |
String |
Tags containing app metadata. |
| phoneAppVersion |
String |
Numerical version of this instance of the Authenticator app. |
| Property |
Type |
Description |
| createdDateTime |
DateTimeOffset |
The start time of the operation. |
| lastActionDateTime |
DateTimeOffset |
The time of the last action of the operation. |
| status |
operationStatus |
The current status of the operation: notStarted, running, completed, failed |
| Property |
Type |
Description |
| creationDateTime |
DateTimeOffset |
The date and time when this password was last updated. This property is currently not populated. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id |
String |
The identifier of this password registered to this user. This is generally 28c10230-6103-485e-b985-444c60001490. Read-only. |
| password |
String |
For security, the password is always returned as null from a LIST or GET operation. |
| Property |
Type |
Description |
| id |
String |
The authentication method identifier. |
| displayName |
String |
The display name of the mobile device as given by the user. |
| creationDateTime |
DateTimeOffset |
The timestamp when this method was registered to the user. |
| Property |
Type |
Description |
| id |
String |
The identifier of this phone registered to this user. Read-only.
The value of id is one of the following:b6332ec1-7057-4abe-9331-3d72feddfe41 - where phoneType is alternateMobile.e37fc753-ff3b-4958-9484-eaa9425c82bc - where phoneType is office.3179e48a-750b-4051-897c-87b9720928f7 - where phoneType is mobile.
|
| phoneNumber |
String |
The phone number to text or call for authentication. Phone numbers use the format "+<country code> <number>x<extension>", with extension optional. For example, +1 5555551234 or +1 5555551234x123 are valid. Numbers are rejected when creating/updating if they do not match the required format. |
| phoneType |
authenticationPhoneType |
The type of this phone. Possible values are: mobile, alternateMobile, or office. |
| smsSignInState |
authenticationMethodSignInState |
Whether a phone is ready to be used for SMS sign-in or not. Possible values are: notSupported, notAllowedByPolicy, notEnabled, phoneNumberNotUnique, ready, or notConfigured, unknownFutureValue. |
| Property |
Type |
Description |
| id |
String |
The authentication method identifier. |
| secretKey |
String |
The secret key of the method. Always returns null. |
| Property |
Type |
Description |
| id |
String |
The identifier of the Temporary Access Pass registered to this user. |
| temporaryAccessPass |
String |
The temporaryAccessPass used to authenticate. Returned only on creation of a new temporaryAccessPass; returned as NULL with GET. |
| createdDateTime |
DateTimeOffset |
The date and time when the temporaryAccessPass was created. |
| startDateTime |
DateTimeOffset |
The date and time when the temporaryAccessPass becomes available to use. |
| lifetimeInMinutes |
Int32 |
The lifetime of the temporaryAccessPass in minutes starting at startDateTime. Minimum 10, Maximum 43200 (equivalent to 30 days). |
| isUsableOnce |
Boolean |
Determines whether the pass is limited to a one time use. If true, the pass can be used once; if false, the pass can be used multiple times within the temporaryAccessPass lifetime. |
| isUsable |
Boolean |
The state of the authentication method that indicates whether it's currently usable by the user. |
| methodUsabilityReason |
String |
Details about usability state (isUsable). Reasons can include: enabledByPolicy, disabledByPolicy, expired, notYetValid, oneTimeUsed. |
| Property |
Type |
Description |
| defaultMfaMethod |
defaultMfaMethodType |
The method the user or admin selected as default for performing multi-factor authentication for the user. The possible values are: none, mobilePhone, alternateMobilePhone, officePhone, microsoftAuthenticatorPush, softwareOneTimePasscode, unknownFutureValue. |
| id |
String |
User object identifier in Azure AD. Inherited from entity. |
| isMfaCapable |
Boolean |
Whether the user has registered a strong authentication method for multi-factor authentication. The method must be allowed by the authentication methods policy. Supports $filter (eq). |
| isMfaRegistered |
Boolean |
Whether the user has registered a strong authentication method for multi-factor authentication. The method may not necessarily be allowed by the authentication methods policy. Supports $filter (eq). |
| isPasswordlessCapable |
Boolean |
Whether the user has registered a passwordless strong authentication method (including FIDO2, Windows Hello for Business, and Microsoft Authenticator (Passwordless)) that is allowed by the authentication methods policy. Supports $filter (eq). |
| isSsprCapable |
Boolean |
Whether the user has registered the required number of authentication methods for self-service password reset and the user is allowed to perform self-service password reset by policy. Supports $filter (eq). |
| isSsprEnabled |
Boolean |
Whether the user is allowed to perform self-service password reset by policy. The user may not necessarily have registered the required number of authentication methods for self-service password reset. Supports $filter (eq). |
| isSsprRegistered |
Boolean |
Whether the user has registered the required number of authentication methods for self-service password reset. The user may not necessarily be allowed to perform self-service password reset by policy. Supports $filter (eq). |
| methodsRegistered |
String collection |
Collection of authentication methods registered, such as mobilePhone, email, fido2. Supports $filter (any with eq). |
| userDisplayName |
String |
The user display name, such as Adele Vance. Supports $filter (eq, startsWith) and $orderBy. |
| userPrincipalName |
String |
The user principal name, such as [email protected]. Supports $filter (eq, startsWith) and $orderBy. |
| Property |
Type |
Description |
| createdDateTime |
DateTimeOffset |
The date and time that this Windows Hello for Business key was registered. |
| displayName |
String |
The name of the device on which Windows Hello for Business is registered |
| id |
String |
A unique identifier for this authentication method. Inherited from authenticationMethod |
| keyStrength |
authenticationMethodKeyStrength |
Key strength of this Windows Hello for Business key. Possible values are: normal, weak, unknown. |