Liongard’s Microsoft 365 Inspector pulls user MFA status and registered authentication methods directly from the Microsoft Graph API. Recently, Passkey (passwordless) authentication has become available in many tenants and is visible in the Microsoft 365 Admin Center. However, when users rely exclusively on Passkey, Liongard may report:
isMfaRegistered: false
methodsRegistered: []
isPasswordlessCapable: false
Example screenshot from data print :
This article dives into why this discrepancy occurs, how you can manually verify a user’s Passkey registration, and what steps you can take to ensure accurate visibility of your organization’s MFA coverage.
🤔 Why Does This Happen?
Graph API Coverage Gap
The primary Graph endpoint for authentication methods (GET/users/{id}/authentication/methods) currently supports:Phone-based methods (SMS, voice)
Authenticator app (TOTP)
FIDO2 hardware keys (in limited scenarios)
It does not yet surface Passkey (WebAuthn platform keys) or certain passwordless methods under its v1.0 schema, even though they appear in the UI.
UI vs API Lifecycle
Microsoft often rolls out UI changes before updating API schemas. Passkey is fully functional in Entra Admin Center, but the corresponding API fields (methodsRegistered,isMfaRegistered) await a schema extension in a future Graph release.Liongard Dependency
Liongard uses these API fields to set internal flags and trigger actionable alerts. Without Passkey entries in the API, those flags default tofalseor empty arrays.Expected Roadmap Delay
Public previews of expanded passwordless API support are anticipated around late 2025, based on Microsoft 365 roadmap and internal SDK discussions.
🔎 How to Validate Manually
Even though the API omits Passkey data, you can confirm the current state:
1. Install and Connect the Graph PowerShell Module
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"
2. Retrieve Registered Methods for the User
# Replace with your user UPN
define $userUPN = "alice@contoso.com"
Get-MgUserAuthenticationMethod -UserId $userUPN
Expected Output: Lists of methods such as
phoneAuthenticationMethodormicrosoftAuthenticatorAuthenticationMethod.Passkey Absence: You will not see any entry representing Passkey or WebAuthn platform authenticator.
3. Cross-Check in Entra Admin Center
Log in to https://entra.microsoft.com
Go to Entra ID > Users > [Select User] > Authentication methods
Verify that Passkey (or equivalent platform authenticator) appears under Usable authentication methods.
Example screenshot :
Note: This contrast proves the UI shows Passkey, but the Graph API does not.
📌 Impact & Security Considerations
False Negatives in Alerts: Automated workflows triggering on
isMfaRegistered == falsemay generate noise for Passkey-only users.No Actual Security Risk: Passkey still enforces MFA; the gap is purely in data reporting.
Audit and Compliance: Be aware of this API limitation when demonstrating MFA coverage to auditors or executive stakeholders.
🛠️ Recommended Actions
Suppress False-Positive Alerts
Identify users registered only via Passkey and tag them as exceptions in your alert rules (If required).
Monitor Microsoft Roadmap
Watch the Microsoft 365 roadmap for announcements related to Graph API support for Passkey and passwordless.
Custom Liongard Metrics (Optional)
Create a report using a metric to flag users with
isMfaRegistered: falseand review those manually:
UPN of active users with Missing MFA disabled and are not Guest Users :
Users[? accountEnabled == `true` && userType != `Guest` && credentialUserRegistrationDetails.isMfaRegistered == `false`].userPrincipalName
🦁 How Liongard Helps
Historic Visibility: Review inspection logs to see when a user was onboarded with Passkey.
Actionable Alerts: Fire alerts on missing API-returned methods, prompting manual investigation.
Custom Metrics: Empower partners to track and manage exceptions via tailored metrics.
Pro Tip: Use an actionable alert on the above MissingMfaMethods metric to get a daily digest of accounts needing manual verification.