How To Get There From Here: Monitor Passkey and Phishing-resistant MFA User Adoption with PowerShell

by
post views: 1,093

Introduction

In the first episode of How To Get There From Here 🎙️, we talked with Michael Mardahl about passkeys and phishing-resistant MFA in Microsoft Entra ID. In the previous post, we implemented break glass accounts with passkey (FIDO2) authentication.

This post covers the next practical step: Monitoring passkey adoption across your organization.

Microsoft Entra ID provides authentication method reports in the portal, but tracking passkey adoption at scale isn’t straightforward. While you can view individual user registration details, identifying users who haven’t enrolled passkeys requires manual work – exporting data, filtering through lists, and piecing together adoption statistics across your organization.

This post shares a PowerShell script that queries Microsoft Graph API to check authentication method enrollment at scale. The script can track Microsoft AuthenticatorPasskey (FIDO2), or both methods across all users or specific groups. It generates adoption statistics and identifies users who haven’t enrolled the required methods.

Yet again, we’ll show you How To Get There From Here. 🔒

The PowerShell Script

The script queries Microsoft Graph API to check which users have enrolled Microsoft Authenticator and/or Passkey (FIDO2) authentication methods. It provides enrollment status with color-coded console output and optional CSV export.

Get the script: https://github.com/imabdk/PowerShell/blob/master/Get-MgUserAuthenticationMethodStatus.ps1

What it does:

  • Connects to Microsoft Graph with required permissions
  • Retrieves users from specified groups or all enabled users
  • Checks authentication method enrollment status
  • Displays results in a formatted table with color coding (Green = enrolled, Red = not enrolled)
  • Generates adoption statistics (total users, enrolled count, missing count)
  • Optionally exports results to CSV

Parameters:

-CheckMethod – Choose what to check:

  • Authenticator – Microsoft Authenticator only
  • Passkey – Passkey (FIDO2) only
  • Both – Both methods

-GroupName – Target specific groups (can specify multiple)

-AllUsers – Check all enabled users in the tenant

-ExportCsv – Export results to CSV file

-PathCsvFile – Custom path for CSV export (default: $env:HomeDrive\Temp)

Required Modules:

  • Microsoft.Graph.Authentication
  • Microsoft.Graph.Users
  • Microsoft.Graph.Groups
  • Microsoft.Graph.Identity.SignIns

Required Permissions:

  • User.Read.All
  • UserAuthenticationMethod.Read.All
  • GroupMember.Read.All

Usage Examples

Check Passkey Enrollment for a Single Group

.\Get-MgUserAuthenticationMethodStatus.ps1 -GroupName "Authentication methods - Passkey" -CheckMethod Passkey

Check All Users for Passkey Enrollment and Export to CSV

.\Get-MgUserAuthenticationMethodStatus.ps1 -AllUsers -CheckMethod Passkey -ExportCsv

Conclusion

This concludes the first How To Get There From Here series – from break glass implementation to organization-wide adoption tracking. You now have the tools to deploy and monitor phishing-resistant authentication across your Entra ID tenant.

Get the script on GitHub: https://github.com/imabdk/PowerShell/blob/master/Get-MgUserAuthenticationMethodStatus.ps1 🙂

Co-authored by:
Martin Bengtsson | imab.dk
Christian Frohn | christianfrohn.dk

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.