List All Passkeys and AAGUIDs in Microsoft Entra with PowerShell

By auditing the Passkeys used by users in your tenant, you can identify the required AAGUIDS necessary to implement restrictions and govern the type of passkeys users can configure going forward. It can also be used to help identify the types and models of Passkeys in use to ensure that they are all supported in the event a third-party vendor issues an End Of Life warning for specific models.

In this post, I will show you how to use Microsoft Graph PowerShell to audit which Passkeys users have configured in your tenant and export the AAGUIDs of each.

Requirements

To run the script to list all Passkeys in your tenant, you must ensure you have the latest version of the Microsoft Graph PowerShell module installed. Check out my post: How To Install the Microsoft Graph PowerShell Module, to learn how.

You will also need access to a Global Administrator account in your tenant to consent to the required permissions to run the script.

List All Passkeys and AAGUIDs with Microsoft Graph PowerShell

Copy the below script into your code editor of choice and run it. This will display a popup grid view of all Passkeys assigned to users in your tenant. If you want to export this data to a CSV file, un-comment the last line of the script and modify the output path.

Connect-MgGraph -Scopes UserAuthenticationMethod.Read.All, AuditLog.Read.All

$Report = @()

$PasskeyUsers = Invoke-MgGraphRequest -Method GET `
-Uri "beta/reports/authenticationMethods/userRegistrationDetails?`$filter=methodsRegistered/any(i:i eq 'passKeyDeviceBound') OR methodsRegistered/any(i:i eq 'passKeyDeviceBoundAuthenticator')" `
-OutputType PSObject | Select -expand Value

Foreach ($user in $PasskeyUsers) {
    $passkey = Invoke-MgGraphRequest -Method GET -Uri "beta/users/$($user.id)/authentication/fido2Methods" -OutputType PSObject | Select -Expand Value
    $obj = [PSCustomObject][ordered]@{
        "User" = $user.UserPrincipalName
        "Passkey" = $passkey.displayName
        "Model" = $passkey.model
        "aaGuid" = $passkey.aaGuid
        "Date created" = $passkey.createdDateTime
    }
    $Report += $obj
}

$Report | Out-GridView
#$Report | Export-csv -path C:\temp\UserPasskeyList.csv -NoTypeInformation
Passkey report
Passkey report

Passkeys in the Microsoft Authenticator App

The use of Passkeys with the Microsoft Authenticator App enables a high level of protection with no additional cost to your organisation. Users can utilise the technology built into their existing mobile phone to secure and maintain a Passkey in the Microsoft Authenticator app. This enables phishing-resistant authentication to almost everyone with no additional cost. 

It is important that if you introduce software-based Passkeys in the Microsoft Authenticator app you start to think about restricting the type of Passkeys allowed in your tenant as a whole. The first step for this would be to audit which Passkeys are currently in use, which this post helps to solve. 

For more information on enabling Passkey authentication in Microsoft Authenticator, check out my post: How to enable Passkeys for the Microsoft Authenticator app.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply