Overview π₯
Liongardβs Microsoft 365 Inspector retrieves user Multi-Factor Authentication (MFA) status and registered authentication methods directly from the Microsoft Graph API, not from the Microsoft Entra Admin Center interface.
In some environments, administrators may observe that users configured with Passkey or passwordless authentication appear in Liongard with values such as:
isMfaRegistered: false
methodsRegistered: []
isPasswordlessCapable: false
even though MFA or Passkey authentication is visible and functioning correctly within Microsoft Entra.
This article explains why this behavior occurs, how to validate authentication methods directly through Microsoft Graph, and recommended actions to prevent false-positive MFA alerts.
Root Cause β οΈ
Microsoft Graph API v1.0 does not consistently expose Passkey (platform WebAuthn) authentication registrations as independently reportable authentication methods across all tenants. Because Liongard relies exclusively on production Microsoft Graph v1.0 endpoints, Passkey-only authentication may not be detected even when visible in the Microsoft Entra Admin Center UI.
Liongard intentionally avoids Microsoft Graph /beta endpoints due to their non-production status, potential schema instability, and risk of breaking changes.
Why This Happens π€
Graph API Coverage Gap
The Microsoft Graph endpoint used to retrieve authentication methods:
GET /users/{id}/authentication/methodscurrently returns supported methods such as:
Phone authentication (SMS / Voice)
Microsoft Authenticator (TOTP / Push)
FIDO2 hardware security keys (limited scenarios)
However, Passkey / WebAuthn platform authenticators may not yet be exposed through the v1.0 schema.
UI vs API Release Lifecycle
Microsoft frequently releases authentication capabilities in the Entra Admin Center UI before equivalent fields become available in production Graph APIs.
As a result:
β
Authentication works correctly
β
MFA enforcement remains active
β Graph API may not report the method
Liongard reflects API data exactly as returned by Microsoft Graph.
Production API Requirement
Liongard avoids Microsoft Graph /beta endpoints because they:
Are subject to breaking schema changes
May return inconsistent results
Are not supported for production integrations by Microsoft
Only stable v1.0 endpoints are used to ensure inspection reliability.
How to Validate Manually π¨βπ»
Administrators can confirm what Microsoft Graph currently reports.
1οΈβ£ Install and Connect Microsoft Graph PowerShell
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"
2οΈβ£ Retrieve Authentication Methods
$userUPN = "alice@contoso.com"
Get-MgUserAuthenticationMethod -UserId $userUPN
Expected Result
You may see entries such as:
phoneAuthenticationMethodmicrosoftAuthenticatorAuthenticationMethod
Important π
If the user relies only on Passkey, no authentication method representing the Passkey may appear in the response.
This confirms the limitation exists at the Microsoft Graph API level.
3οΈβ£ Cross-Check in Microsoft Entra Admin Center
Navigate to:
https://entra.microsoft.com
β Entra ID
β Users
β Select User
β Authentication Methods
You may observe:
β
Passkey visible in portal
β Passkey absent from Graph output
This difference confirms UI visibility exceeds current API reporting capability.
Impact & Security Considerations π§βπ«
1οΈβ£ False-Positive MFA Alerts
Metrics or alerts relying on:
isMfaRegistered == false
may incorrectly flag Passkey-only users.
2οΈβ£ No Security Risk
Passkey authentication still enforces MFA requirements.
The discrepancy affects reporting visibility only, not authentication security.
3οΈβ£ Audit & Compliance Awareness
When demonstrating MFA adoption to auditors or stakeholders:
Portal values may differ from API-based reporting tools.
Manual validation may be required for passwordless users.
Recommended Actionsπ¨βπ§
β Review Flagged Users Manually
Identify users relying exclusively on Passkey authentication before remediation actions.
β Suppress False-Positive Alerts (Optional)
Example RoarPath metric:
Users[? accountEnabled == `true` && userType != `Guest` && credentialUserRegistrationDetails.isMfaRegistered == `false`].userPrincipalName
Use this list for verification rather than automatic escalation.
β Monitor Microsoft Graph Updates
Microsoft continues expanding passwordless authentication support within Graph APIs. Future API releases may expose additional authentication method data.
How Liongard Helps π¦
Even with API limitations, Liongard provides:
Historical inspection visibility
Centralized MFA monitoring
Actionable alerting workflows
Custom metric exception tracking
Partners can safely investigate users flagged by inspection without assuming authentication failure.
Expected Behavior Summary π€©
Capability | Supported |
Detect Authenticator App MFA | β Yes |
Detect Phone MFA | β Yes |
Detect Some FIDO2 Keys | β Partial |
Detect Passkey-Only Users | β Not Consistently |
Alert Reliably on Passkey MFA | β Not Currently |
π Additional Resources
βΌοΈ Disclaimer
This article references third-party documentation published by Microsoft for informational purposes only. External documentation is owned and maintained by the respective vendor and may change without notice. Liongard does not control or guarantee the accuracy, availability, or future behavior of third-party APIs, features, or documentation referenced herein.