Track and visualize authentication methods in Entra ID (formerly Azure AD) with a focus on Phishing-Resistant authentication.
The EntraAuthenticationMetrics module provides comprehensive, interactive dashboards to help you understand and manage authentication methods in your organization:
A user-friendly interface that allows:
- Filtering and searching users
- Detailed view of Phishing-Resistant MFA status
- Method-specific insights
This dashboard offers a detailed breakdown of authentication methods, highlighting:
- Phishing-Resistant MFA adoption
- Strong authentication method coverage
- Standard and legacy authentication method usage
Version: 0.1.0
Author: Gabriel Delaney (thetolkienblackguy.com | GitHub )
Company: Phoenix Horizons LLC
- Features
- Prerequisites
- Installation
- Authentication Setup
- Usage Guide
- Dashboard Features
- Known Limitations
-
π Phishing-Resistant MFA Tracking
- FIDO2 Security Keys
- Windows Hello for Business
- Certificate-Based Authentication
-
π± Standard Authentication Methods
- Microsoft Authenticator App
- Software OATH Tokens
- Temporary Access Pass
-
π Interactive Dashboard
- Real-time filtering and search
- Dark/Light mode toggle
- Method-specific views
- Detailed statistics panel
-
π Reporting Options
- Interactive HTML dashboard
- Email delivery via Graph API
- Custom filtering capabilities
- PowerShell 5.1 or PowerShell 7.x
- Microsoft.Graph.Authentication module (automatically installed)
-
For Dashboard Generation:
- User.Read.All
- GroupMember.Read.All
- UserAuthenticationMethod.Read.All
-
For Email Functionality (Additional):
- Mail.Send (Application permission only)
# Install from PowerShell Gallery
Install-Module -Name EntraAuthenticationMetrics -Scope CurrentUser
# Import the module
Import-Module EntraAuthenticationMetrics# Connect with required scopes
Connect-MgGraph -Scopes @(
"User.Read.All",
"GroupMember.Read.All",
"UserAuthenticationMethod.Read.All"
)-
Navigate to Entra Portal > App Registrations
-
Create New Registration:
- Name: "EntraAuthenticationMetrics"
- Supported account type: Single tenant
- Click Register
-
Add Required Permissions:
- Click "API Permissions"
- Add Microsoft Graph permissions:
- User.Read.All (Application)
- GroupMember.Read.All (Application)
- UserAuthenticationMethod.Read.All (Application)
- Mail.Send (Application)
- Grant admin consent
-
Create Secret or Certificate:
- Under "Certificates & secrets"
- Create new client secret or upload certificate
- Save credentials securely
-
Connect Using App Credentials:
# Using client secret
$client_id = "your-client-id"
$client_secret = "your-client-secret" | ConvertTo-SecureString -AsPlainText -Force
$client_secret_credential = New-Object System.Management.Automation.PSCredential($client_id, $client_secret)
$tenant_id = "your-tenant-id"
Connect-MgGraph -ClientSecretCredential $client_secret_credential -TenantId $tenant_id
# Or using certificate
Connect-MgGraph -ClientId $client_id -CertificateThumbprint "cert-thumbprint" -TenantId $tenant_id# Generate dashboard for all users
Invoke-EAMDashboardCreation -AllUsers
# Generate dashboard and suppress certificate warning
Invoke-EAMDashboardCreation -AllUsers -IgnoreCertificateWarning
# Generate dashboard without opening in browser
Invoke-EAMDashboardCreation -AllUsers -InvokeDashboard:$false# Create dashboard for specific group
$group_id = "12345678-1234-1234-1234-123456789012"
Invoke-EAMDashboardCreation -GroupId $group_id
# Filter examples
# Users with specific domain
$domain_filter = "endsWith(userPrincipalName,'@contoso.com')"
Invoke-EAMDashboardCreation -Filter $domain_filter
# Users with specific display name pattern
$name_filter = "startsWith(displayName,'A')"
Invoke-EAMDashboardCreation -Filter $name_filter# CSV file should contain a column with user identifiers (UPN or Object ID)
# Example CSV content:
# UserPrincipalName
# user1@contoso.com
# user2@contoso.com
# Generate dashboard from CSV
Invoke-EAMDashboardCreation -ImportCsv -Path ".\users.csv" -IdentityHeader "UserPrincipalName"# Generate and email dashboard
$dashboard_path = "$($PWD)\Entra_Authentication_Metrics_Dashboard.html"
Invoke-EAMDashboardCreation -AllUsers -InvokeDashboard:$false
Send-EAMMailMessage -To "security-team@contoso.com" -From "reports@contoso.com" -Subject "Authentication Methods Dashboard" -Body "Please find attached the latest authentication methods dashboard." -Attachments $dashboard_pathYou can also get the authentication report data in a format suitable for CSV export or use in other scripts:
# Get authentication report data
$auth_data = New-EAMAuthenticationReport -AllUsers
# Export to CSV
$auth_data | Export-Csv -Path "auth_report.csv" -NoTypeInformation
# Use in other scripts or create dashboard
Invoke-EAMDashboardCreation -InputObject $auth_dataThe interactive HTML dashboard provides:
- Real-time user filtering and search
- Method-specific views for detailed analysis
- Dark/Light mode toggle
- Comprehensive statistics panel
-
Certificate Authentication Detection
- Based on userCertificateIds property in Entra ID
- May not reflect all certificate mapping configurations
- Warning displayed unless suppressed with -IgnoreCertificateWarning
-
Email Functionality
- Requires application (not delegated) permissions
- Mail.Send permission must be granted at application level
-
Large Environment Considerations
- Progress bars displayed for large queries
- Consider filtering for better performance
This project is licensed under the MIT License.