UserAuthenticationMethod.Read.All
Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Ver |
Type |
Method |
Beta |
A,D |
GET /me/authentication/emailMethods |
Beta |
A,D |
GET /me/authentication/emailMethods/{id} |
V1 |
A,D |
GET /me/authentication/fido2Methods |
V1 |
A,D |
GET /me/authentication/fido2Methods/{id} |
V1 |
A,D |
GET /me/authentication/methods |
V1 |
A,D |
GET /me/authentication/methods/{id} |
V1 |
A,D |
GET /me/authentication/microsoftAuthenticatorMethods |
V1 |
A,D |
GET /me/authentication/microsoftAuthenticatorMethods/{microsoftAuthenticatorAuthenticationMethodId} |
Beta |
A,D |
GET /me/authentication/passwordlessMicrosoftAuthenticatorMethods |
Beta |
A,D |
GET /me/authentication/passwordlessMicrosoftAuthenticatorMethods/{id} |
Beta |
A,D |
GET /me/authentication/passwordMethods |
Beta |
A,D |
GET /me/authentication/passwordMethods/{id} |
Beta |
A,D |
GET /me/authentication/phoneMethods |
Beta |
A,D |
GET /me/authentication/phoneMethods/{phoneMethodId} |
Beta |
A,D |
GET /me/authentication/softwareOathMethods |
Beta |
A,D |
GET /me/authentication/softwareOathMethods/{id} |
Beta |
A,D |
GET /me/authentication/temporaryAccessPassMethods |
Beta |
A,D |
GET /me/authentication/temporaryAccessPassMethods/{temporaryAccessPassAuthenticationMethodId} |
V1 |
A,D |
GET /me/authentication/windowsHelloForBusinessMethods |
V1 |
A,D |
GET /me/authentication/windowsHelloForBusinessMethods/{windowsHelloForBusinessAuthenticationMethodId} |
Beta |
A,D |
GET /reports/authenticationMethods/userRegistrationDetails |
Beta |
A,D |
GET /reports/authenticationMethods/userRegistrationDetails/{userRegistrationDetailsId} |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/emailMethods |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/emailMethods/{id} |
V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/fido2Methods |
V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/fido2Methods/{id} |
V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/methods |
V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/methods/{id} |
V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/microsoftAuthenticatorMethods |
V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/microsoftAuthenticatorMethods/{microsoftAuthenticatorAuthenticationMethodId} |
Beta |
D |
GET /users/{id | userPrincipalName}/authentication/operations/{id} |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/passwordlessMicrosoftAuthenticatorMethods |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/passwordlessMicrosoftAuthenticatorMethods/{id} |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/passwordMethods |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/passwordMethods/{id} |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/phoneMethods |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/softwareOathMethods |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/softwareOathMethods/{id} |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/temporaryAccessPassMethods |
Beta |
A,D |
GET /users/{id | userPrincipalName}/authentication/temporaryAccessPassMethods/{temporaryAccessPassAuthenticationMethodId} |
V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/windowsHelloForBusinessMethods |
V1 |
A,D |
GET /users/{id | userPrincipalName}/authentication/windowsHelloForBusinessMethods/{windowsHelloForBusinessAuthenticationMethodId} |
Beta |
A,D |
GET /users/{userId | userPrincipalName}/authentication/phoneMethods/{phoneMethodId} |
Delegate Permission
|
|
Id |
aec28ec7-4d02-4e8c-b864-50163aea77eb |
Consent Type |
Admin |
Display String |
Read all users' authentication methods |
Description |
Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. |
Application Permission
|
|
Id |
38d9df27-64da-44fd-b7c5-a6fbac20248f |
Display String |
Read all users' authentication methods |
Description |
Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. |
Resources
Property |
Type |
Description |
id |
String |
The identifier of this instance of an authentication method registered to this user. Read-only. |
Property |
Type |
Description |
id |
String |
The identifier of the email address registered to this user. |
emailAddress |
String |
The email address registered to this user. |
Property |
Type |
Description |
id |
String |
The authentication method identifier. |
displayName |
String |
The display name of the key as given by the user. |
createdDateTime |
DateTimeOffset |
The timestamp when this key was registered to the user. |
aaGuid |
String |
Authenticator Attestation GUID, an identifier that indicates the type (e.g. make and model) of the authenticator. |
model |
String |
The manufacturer-assigned model of the FIDO2 security key. |
attestationCertificates |
String collection |
The attestation certificate(s) attached to this security key. |
attestationLevel |
attestationLevel |
The attestation level of this FIDO2 security key. Possible values are: attested , or notAttested . |
Property |
Type |
Description |
createdDateTime |
DateTimeOffset |
The date and time that this app was registered. This property is null if the device is not registered for passwordless Phone Sign-In. |
displayName |
String |
The name of the device on which this app is registered. |
id |
String |
A unique identifier for this authentication method. Inherited from authenticationMethod |
deviceTag |
String |
Tags containing app metadata. |
phoneAppVersion |
String |
Numerical version of this instance of the Authenticator app. |
Property |
Type |
Description |
createdDateTime |
DateTimeOffset |
The start time of the operation. |
lastActionDateTime |
DateTimeOffset |
The time of the last action of the operation. |
status |
operationStatus |
The current status of the operation: notStarted , running , completed , failed |
Property |
Type |
Description |
creationDateTime |
DateTimeOffset |
The date and time when this password was last updated. This property is currently not populated. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . |
id |
String |
The identifier of this password registered to this user. This is generally 28c10230-6103-485e-b985-444c60001490 . Read-only. |
password |
String |
For security, the password is always returned as null from a LIST or GET operation. |
Property |
Type |
Description |
id |
String |
The authentication method identifier. |
displayName |
String |
The display name of the mobile device as given by the user. |
creationDateTime |
DateTimeOffset |
The timestamp when this method was registered to the user. |
Property |
Type |
Description |
id |
String |
The identifier of this phone registered to this user. Read-only.
The value of id is one of the following:b6332ec1-7057-4abe-9331-3d72feddfe41 - where phoneType is alternateMobile .e37fc753-ff3b-4958-9484-eaa9425c82bc - where phoneType is office .3179e48a-750b-4051-897c-87b9720928f7 - where phoneType is mobile .
|
phoneNumber |
String |
The phone number to text or call for authentication. Phone numbers use the format "+<country code> <number>x<extension>", with extension optional. For example, +1 5555551234 or +1 5555551234x123 are valid. Numbers are rejected when creating/updating if they do not match the required format. |
phoneType |
authenticationPhoneType |
The type of this phone. Possible values are: mobile , alternateMobile , or office . |
smsSignInState |
authenticationMethodSignInState |
Whether a phone is ready to be used for SMS sign-in or not. Possible values are: notSupported , notAllowedByPolicy , notEnabled , phoneNumberNotUnique , ready , or notConfigured , unknownFutureValue . |
Property |
Type |
Description |
id |
String |
The authentication method identifier. |
secretKey |
String |
The secret key of the method. Always returns null . |
Property |
Type |
Description |
id |
String |
The identifier of the Temporary Access Pass registered to this user. |
temporaryAccessPass |
String |
The temporaryAccessPass used to authenticate. Returned only on creation of a new temporaryAccessPass; returned as NULL with GET. |
createdDateTime |
DateTimeOffset |
The date and time when the temporaryAccessPass was created. |
startDateTime |
DateTimeOffset |
The date and time when the temporaryAccessPass becomes available to use. |
lifetimeInMinutes |
Int32 |
The lifetime of the temporaryAccessPass in minutes starting at startDateTime. Minimum 10, Maximum 43200 (equivalent to 30 days). |
isUsableOnce |
Boolean |
Determines whether the pass is limited to a one time use. If true , the pass can be used once; if false , the pass can be used multiple times within the temporaryAccessPass lifetime. |
isUsable |
Boolean |
The state of the authentication method that indicates whether it's currently usable by the user. |
methodUsabilityReason |
String |
Details about usability state (isUsable). Reasons can include: enabledByPolicy , disabledByPolicy , expired , notYetValid , oneTimeUsed . |
Property |
Type |
Description |
defaultMfaMethod |
defaultMfaMethodType |
The method the user or admin selected as default for performing multi-factor authentication for the user. The possible values are: none , mobilePhone , alternateMobilePhone , officePhone , microsoftAuthenticatorPush , softwareOneTimePasscode , unknownFutureValue . |
id |
String |
User object identifier in Azure AD. Inherited from entity. |
isMfaCapable |
Boolean |
Whether the user has registered a strong authentication method for multi-factor authentication. The method must be allowed by the authentication methods policy. Supports $filter (eq ). |
isMfaRegistered |
Boolean |
Whether the user has registered a strong authentication method for multi-factor authentication. The method may not necessarily be allowed by the authentication methods policy. Supports $filter (eq ). |
isPasswordlessCapable |
Boolean |
Whether the user has registered a passwordless strong authentication method (including FIDO2, Windows Hello for Business, and Microsoft Authenticator (Passwordless)) that is allowed by the authentication methods policy. Supports $filter (eq ). |
isSsprCapable |
Boolean |
Whether the user has registered the required number of authentication methods for self-service password reset and the user is allowed to perform self-service password reset by policy. Supports $filter (eq ). |
isSsprEnabled |
Boolean |
Whether the user is allowed to perform self-service password reset by policy. The user may not necessarily have registered the required number of authentication methods for self-service password reset. Supports $filter (eq ). |
isSsprRegistered |
Boolean |
Whether the user has registered the required number of authentication methods for self-service password reset. The user may not necessarily be allowed to perform self-service password reset by policy. Supports $filter (eq ). |
methodsRegistered |
String collection |
Collection of authentication methods registered, such as mobilePhone , email , fido2 . Supports $filter (any with eq ). |
userDisplayName |
String |
The user display name, such as Adele Vance . Supports $filter (eq , startsWith ) and $orderBy . |
userPrincipalName |
String |
The user principal name, such as [email protected] . Supports $filter (eq , startsWith ) and $orderBy . |
Property |
Type |
Description |
createdDateTime |
DateTimeOffset |
The date and time that this Windows Hello for Business key was registered. |
displayName |
String |
The name of the device on which Windows Hello for Business is registered |
id |
String |
A unique identifier for this authentication method. Inherited from authenticationMethod |
keyStrength |
authenticationMethodKeyStrength |
Key strength of this Windows Hello for Business key. Possible values are: normal , weak , unknown . |