I would like to access MFA information about users using their UPN but I can't seem to figure out how I can allow permissions programmatically to access their MFA information on azure tenant.
The code below is what I have right now:
$userUPN = "[email protected]"
$userObjectId = (Get-AzADUser -UserPrincipalName $userUPN).Id
$graphApiUrl = "https://graph.microsoft.com/v1.0/users/$($userObjectId)/authentication/methods"
$accessToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
$responsee = $response = Invoke-RestMethod -Uri $graphApiUrl -Headers @{ Authorization = "Bearer $accessToken" } -Method Get -ErrorAction Stop
The error I get:
"accessDenied, request authorization failed"
I am able to access MFA information by using graph explorer and send a HTTPS request because it allows me to consent to the permissions. I have attached a screenshot below to show the permissions:
How can I consent to permissions using powershell so I can access the MFA in my ide?
Thanks!
Note that: When you generate access token using
Get-AzAccessTokenpermissions like "AuditLog.Read.All Directory.AccessAsUser.All email openid profile" only are granted by Microsoft Graph in advance.https://graph.microsoft.com/UserAuthenticationMethod.Read.All. Refer this GitHub blog by Dingmeng Xue.Connect-AzAccountto perform the action.Create an Azure AD application and grant API permission:
Now use the below PowerShell script to Connect-AzAccount using Service principal and fetch the details:
Otherwise make use of Microsoft Graph PowerShell module.
References:
Support user specified permission on ResourceURI by dingmeng-xue · Pull Request #18080 · Azure/azure-powershell · GitHub
azure - Using token from Connect-AZAccount on Intune Graph calls - Stack Overflow by Andy Brunner