By auditing the Passkeys used by users in your tenant, you can identify the required AAGUIDS necessary to implement restrictions and govern the type of passkeys users can configure going forward. It can also be used to help identify the types and models of Passkeys in use to ensure that they are all supported in the event a third-party vendor issues an End Of Life warning for specific models.
In this post, I will show you how to use Microsoft Graph PowerShell to audit which Passkeys users have configured in your tenant and export the AAGUIDs of each.
Requirements
To run the script to list all Passkeys in your tenant, you must ensure you have the latest version of the Microsoft Graph PowerShell module installed. Check out my post: How To Install the Microsoft Graph PowerShell Module, to learn how.
You will also need access to a Global Administrator account in your tenant to consent to the required permissions to run the script.
List All Passkeys and AAGUIDs with Microsoft Graph PowerShell
Copy the below script into your code editor of choice and run it. This will display a popup grid view of all Passkeys assigned to users in your tenant. If you want to export this data to a CSV file, un-comment the last line of the script and modify the output path.
Connect-MgGraph -Scopes UserAuthenticationMethod.Read.All, AuditLog.Read.All
$Report = @()
$PasskeyUsers = Invoke-MgGraphRequest -Method GET `
-Uri "beta/reports/authenticationMethods/userRegistrationDetails?`$filter=methodsRegistered/any(i:i eq 'passKeyDeviceBound') OR methodsRegistered/any(i:i eq 'passKeyDeviceBoundAuthenticator')" `
-OutputType PSObject | Select -expand Value
Foreach ($user in $PasskeyUsers) {
$passkey = Invoke-MgGraphRequest -Method GET -Uri "beta/users/$($user.id)/authentication/fido2Methods" -OutputType PSObject | Select -Expand Value
$obj = [PSCustomObject][ordered]@{
"User" = $user.UserPrincipalName
"Passkey" = $passkey.displayName
"Model" = $passkey.model
"aaGuid" = $passkey.aaGuid
"Date created" = $passkey.createdDateTime
}
$Report += $obj
}
$Report | Out-GridView
#$Report | Export-csv -path C:\temp\UserPasskeyList.csv -NoTypeInformation
Passkeys in the Microsoft Authenticator App
The use of Passkeys with the Microsoft Authenticator App enables a high level of protection with no additional cost to your organisation. Users can utilise the technology built into their existing mobile phone to secure and maintain a Passkey in the Microsoft Authenticator app. This enables phishing-resistant authentication to almost everyone with no additional cost.
It is important that if you introduce software-based Passkeys in the Microsoft Authenticator app you start to think about restricting the type of Passkeys allowed in your tenant as a whole. The first step for this would be to audit which Passkeys are currently in use, which this post helps to solve.
For more information on enabling Passkey authentication in Microsoft Authenticator, check out my post: How to enable Passkeys for the Microsoft Authenticator app.