I am trying to build a PowerShell script we can use to run hourly that would basically look for users who have recently signed up for Multifactor Authenticator or have Authenticator setup on their account in general and then add them to the group that controls conditional access if they aren't in there already. I was trying to use the Get-MgUserAuthenticationMethod -UserId 'UPN' | fl command, and when I run it, it doesn't return anything. We have an enterprise app setup and configured with the following permissions, user.read, user.read.all , and userauthenticationmethod.readwrite.all . In order to connect to graph using the enterprise app, we have a certificate that we use to authenticate. Does anyone have any ideas on what may be going on or have any suggestions on what I could do instead to accomplish what I mentioned above? I don't have a ton of PowerShell experience, so any suggestions or input is appreciated.

You are connecting via the client credentials flow, but using delegate permissions - those do not work for said flow. Either use application permissions instead, or authenticate in the context of a user to leverage the delegate permissions. Also, if you are planning to cover methods for privileged users, your app (its service principal) needs to have the Privileged Authentication Admin or Global admin role assigned.

As a first pass at debugging, try assigning the result to a variable and see if the Get-MgUserAuthenticationMethod actually returned anything: $x = Get-MgUserAuthenticationMethod -UserId 'UPN' $x.gettype() If you get this: You cannot call a method on a null-valued expression. as a result the cmdlet didn't find the UserID.

Get-MgUserAuthenticationMethod Command doesn't return any information

Miranda-5426 20

I am trying to build a PowerShell script we can use to run hourly that would basically look for users who have recently signed up for Multifactor Authenticator or have Authenticator setup on their account in general and then add them to the group that controls conditional access if they aren't in there already.

I was trying to use the Get-MgUserAuthenticationMethod -UserId 'UPN' | fl command, and when I run it, it doesn't return anything.

User's image

We have an enterprise app setup and configured with the following permissions, user.read, user.read.all, and userauthenticationmethod.readwrite.all. In order to connect to graph using the enterprise app, we have a certificate that we use to authenticate.

User's image

Does anyone have any ideas on what may be going on or have any suggestions on what I could do instead to accomplish what I mentioned above? I don't have a ton of PowerShell experience, so any suggestions or input is appreciated.

Accepted answer

Vasil Michev 96,516 Reputation points MVP

2024-05-10T08:10:16.7533333+00:00

You are connecting via the client credentials flow, but using delegate permissions - those do not work for said flow. Either use application permissions instead, or authenticate in the context of a user to leverage the delegate permissions.

Also, if you are planning to cover methods for privileged users, your app (its service principal) needs to have the Privileged Authentication Admin or Global admin role assigned.
Please sign in to rate this answer.
Miranda-5426 20 Reputation points

2024-05-10T18:53:11.5266667+00:00

@Vasil Michev As soon as I added in application permissions, it worked using the certificate method. Thank you for your help!

Do you know if certain commands require this? I am just curious as to why some of our other scripts have worked with delegated permissions instead of application permissions.

Vasil Michev 96,516 Reputation points MVP

2024-05-11T06:43:59.57+00:00

Most operations within the Graph support both delegate and application permissions. However, you need to combine the type of permission with suitable authentication method. In your scenario the issue using delegate permissions, while trying to authenticate via client secret/certificate - this only works for application permissions.
Sign in to comment

1 additional answer

Rich Matheisen 45,111 Reputation points

2024-05-09T18:19:17.89+00:00
As a first pass at debugging, try assigning the result to a variable and see if the Get-MgUserAuthenticationMethod actually returned anything:

$x = Get-MgUserAuthenticationMethod -UserId 'UPN' $x.gettype()

If you get this: You cannot call a method on a null-valued expression. as a result the cmdlet didn't find the UserID.
Please sign in to rate this answer.
Miranda-5426 20 Reputation points

2024-05-09T18:52:35.3+00:00

Hi @Rich Matheisen , thanks for your reply. I gave that a try and still, it didn't show anything for the results.

What is interesting is that if I type in a UPN that I know doesn't exist, I get the same results as shown above.

Rich Matheisen 45,111 Reputation points

2024-05-09T19:47:52.6066667+00:00

Does Get-MGUser return anything for that userid?

Try running the Get-MgUserAuthenticationMethod -UserId 'UPN' without piping the output to any other cmdlet or assigning the output to a variable: Get-MgUserAuthenticationMethod -UserId 'UPN'

Does this return anything?

$x=Get-MgUserAuthenticationMethod -UserId 'UPN' $x|gm * -f

Does this fail? Get-MgUserAuthenticationMethod -UserId 'UPN' -ErrorAction STOP

Honestly, I don't think any of the Graph stuff is fully baked.

Rich Matheisen 45,111 Reputation points

2024-05-09T19:55:34.39+00:00

Does Get-MGUser return anything for the UPN?

How about Get-MgUserAuthenticationMethod -UserId 'UPN' without piping it to anything or assigning it to a variable?

Does Get-MgUserAuthenticationMethod -UserId 'UPN' -ErrorAction STOP cause an exception?

Does Get-Member find anything? For example:

$x = Get-MgUserAuthenticationMethod -UserId 'UPN' $x | gm * -f

Honestly, based on stuff I've seen in posts, I'm not sure that the PowerShell Graph stuff is fully baked.

Miranda-5426 20 Reputation points

2024-05-09T20:05:16.2666667+00:00

@Rich Matheisen , when I run Get-MgUser for that UserId, I do get results:

When I run the Get-MgUserAuthenticationMethod - UserId 'UPN" without piping or assigning to a variable, I get the same results as before:

Running it with assigning it to a variable doesn't do anything either:

Running the command with -ErrorAction STOP gave me something here:

I will look into this error more and see what I can find. I agree with you; it definitely seems like Graph isn't fully baked, unfortunately.

Rich Matheisen 45,111 Reputation points

2024-05-09T21:22:25.9133333+00:00

The error means you don't have permission to access the authentication data.

FullyQualifiedErrorId : accessDenied

https://answers.microsoft.com/en-us/msoffice/forum/all/i-need-an-alternative-way-of-accessing-my-users/5d30d19d-9be9-424a-aaba-110eb947d705

Miranda-5426 20 Reputation points

2024-05-10T18:42:51.4266667+00:00

@Rich Matheisen I did some more testing, and if I run the following, it allows me to run the Get-MgUserAuthenticationMethod - UserId 'UPN' command without issues.

Connect-MgGraph -Scopes 'userauthenticationmethod.read.all'

I am just wondering why the authentication using the certificate in the enterprise app isn't working. As I mentioned in a previous reply, I have the correct permissions setup for this I believe.

Any additional thoughts you have? I haven't come across anything explaining this yet. We don't want to be authenticating to Mg Graph with an account but would rather use the certificate through the enterprise app. Other scripts using a connection to Mg Graph work just fine. This is the first instance I have seen in our environment.
Sign in to comment

Share via

Get-MgUserAuthenticationMethod Command doesn't return any information

1 additional answer