Microsoft Entra ID makes it easy to view authentication methods for an individual user.
Open the Entra admin center, navigate to Users -> Authentication methods, and the information is immediately available.
For single-user troubleshooting, this approach works perfectly well.
The situation changes when the question becomes broader, for example:
- How many users have no authentication methods configured?
- Which methods are actually used across the tenant?
- How many users rely only on SMS or email?
- How widely are modern methods such as FIDO2 or passwordless authentication adopted?
At that point, clicking through the portal is no longer practical. What’s needed instead is a repeatable, automation-friendly report that can be generated consistently and reviewed over time.
Why a script is still necessary
The Entra admin center shows authentication methods per user, but it does not provide:
- a tenant-wide export
- a pivot-style overview
- an easy way to compare users side by side
- a mechanism suitable for scheduled or unattended execution
You can inspect authentication methods in the GUI, but the portal is designed for inspection, not reporting at scale.
This script exists to bridge that gap by querying Microsoft Graph directly and collecting authentication method data for all users in a structured, reusable format.
What the script reports
The script retrieves explicit authentication methods configured for Entra ID users via Microsoft Graph.
It intentionally excludes password authentication.
Having a password does not mean a user has MFA or strong authentication configured, and including it would distort the results.
Reported methods include, among others:
- Email authentication
- Phone authentication (mobile, office, alternate mobile)
- Microsoft Authenticator
- Passwordless Microsoft Authenticator
- FIDO2 security keys
- Windows Hello for Business
- Software OATH tokens
- Temporary Access Pass (presence only)
- Passkeys
- Any unknown or newly introduced method types
In addition to authentication data, the report includes basic user context such as country, office location, account status, and a calculated MethodCount.
Output formats
The script produces two CSV reports, each serving a different purpose.
Detail report
The detail report contains one row per user per authentication method.
This format is useful when you need to:
- filter by specific authentication methods
- identify users with no methods configured
- perform follow-up actions based on method type
Pivot report
The pivot report is designed for readability.
Each user appears once, with authentication methods flattened into columns (for example: Email, Phone, Authenticator, FIDO2, Passwordless, TAP).
This format makes it easy to:
- compare users side by side
- spot weak or inconsistent authentication configurations
- share the results with security or audit teams without additional explanation
Authentication and execution model
The script supports two authentication modes, each serving a different purpose.
App-only certificate-based authentication (default)
By default, the script uses app-only authentication with a certificate.
This mode is intended for:
- scheduled tasks
- automation servers
- recurring security or compliance reports
No interactive login is required, and no secrets are stored in the script.
Interactive delegated authentication
For ad-hoc execution or testing, the script can also run using interactive delegated authentication.
This is useful when:
- validating script behavior
- troubleshooting a specific user
- running the script from an admin workstation
Example usage scenarios
Tenant-wide authentication methods report (certificate-based)
To generate a full report for all users using app-only authentication, run the script without parameters:
|
1 |
.\EntraID-Get-User-Authentication-Methods.ps1 |
This is the recommended mode for:
- scheduled execution
- baseline reporting
- recurring security reviews
Tenant-wide report using interactive authentication
For ad-hoc runs using your own admin account:
|
1 |
.\EntraID-Get-User-Authentication-Methods.ps1 -Interactive |
This performs the same tenant-wide export but uses delegated permissions instead of app-only authentication.
Reviewing authentication methods for a single user
To generate reports for a specific user and display a pivot-style summary directly in the console:
|
1 |
.\EntraID-Get-User-Authentication-Methods.ps1 -UserPrincipalName john.doe@contoso.com -Interactive |
This mode is particularly useful when responding to support or security queries related to an individual account.
Identifying users with no authentication methods
In the pivot report, users with no authentication methods can be identified by:
- empty authentication method columns
MethodCount = 0
These users often require follow-up actions, such as MFA onboarding or account remediation.
Where this fits in practice
This script does not replace the Entra admin center.
Instead, it complements it by providing:
- scale
- consistency
- repeatability
The portal remains the right tool for inspecting individual users.
PowerShell and Microsoft Graph are better suited for reporting, analysis, and automation.
Script Source
Script Source
Complete script, as always, is available for download on Azure365Addict GitHub.
Feel free to customize the script to fit your reporting needs or extend it with additional logic relevant to your environment.
Happy scripting!
