Empty strongAuthenticationDetail - How to get MFA status of each user
quentinhardy opened this issue · comments
Hello,
All my AAD users have this following configuration in my roadrecon database:
strongAuthenticationDetail => {'encryptedPinHash': None, 'encryptedPinHashHistory': None, 'methods': [], 'oathTokenMetadata': [], 'requirements': [], 'phoneAppDetails': [], 'proofupTime': None, 'verificationDetail': None}
If I have well understood, the strongAuthenticationDetail key should give information about the MFA status for a user.
Why all my users have an "empty" strongAuthenticationDetail while some of them have MFA enable? Is it a privilege problem of the AAD user which has been used for running Roadrecon ? This user was the "Gloabl reader" role.
How I can get the MFA status of each AAD user through Roadtools ?
Thank you in advance,
In my testing this still works with the correct privileges (Global reader/Admin). If you're sure you gathered the information with the correct privileges, then i'm not sure what the issue could be here.
You could try running the tool with --mfa
explicitly to see if that does gather the MFA information.
It appears that in larger tenants the --mfa
switch is needed to collect this even with the correct privileges. In small tenants it collects it without that flag as well.