Microsoft Entra MFA

Updated on 08 Jul 2024
2 Minutes to read
Contributors

Print
Share
Dark
Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

Microsoft Entra MFA (Multi-Factor Authentication) is a security feature that adds an extra layer of protection to user accounts by requiring verification through multiple authentication factors, such as a password and a mobile app notification or a biometric scan. It protects authentication methods and provides usage reports to help you understand how users in your organization are using Microsoft Entra authentication capabilities, such as MFA, Self-Service Password Reset (SSPR), and Passwordless authentication. In addition, Entra MFA offers details related to the device. Its API facilitates a comprehensive integration process, primarily focusing on importing detailed reports on the usage of authentication methods and device data.

Setup and Configure

Log on to Azure with a user account that has the Global Administrator role.
Navigate to Microsoft Entra ID > App registrations > New registration. The “Register an application” page window appears.
Enter the application's registration information:
1. In the ‘Name’ section, enter a meaningful application name that will be displayed to users.
2. For ‘Supported account types’, click the Accounts in any organizational directory option.
3. Set the ‘Redirect URI’ to http://localhost.
4. Click on Register to create the application.
On the app “Overview” page, copy the ‘Application (client) ID’ and ‘Directory (tenant) ID’ for later use.
Add Endpoint Access
Once the application is created, three permissions should be provided in order to get data. The appropriate permissions to the application are needed in order to configure these endpoints. The following section details how to configure and add permissions to the three required endpoints.
Endpoints needed for Microsoft Entra MFA
Add Permissions
To add permissions for the six endpoints outlined above, from the Azure Active Directory portal:
Select the application whose logs are to be accessed (generally, the application registered earlier on this page).
Click API Permissions, and then click Add a Permission. The “Request API permissions” window appears.
Click on Microsoft Graph.
Click on Application Permissions.

The following permissions need to be granted for the six endpoints to function properly:

Endpoints	Permission
/userRegistrationDetails	AuditLog.Read.All
/usersRegisteredByFeature	AuditLog.Read.All
/usersRegisteredByMethod	AuditLog.Read.All
/userCredentialUsageDetails	Reports.Read.All
/getCredentialUserRegistrationCount	Reports.Read.All
/getCredentialUsageSummary	Reports.Read.All
/device	Device.Read.All

In the ‘Select permissions’ search bar, enter the two permissions shown above one by one, and check the box for each to include it.

Click the Add permissions button after selecting all required permissions.
On the “API permissions” page, click Grant Admin Consent for <tenant>.
Click the Yes button on the consent confirmation. The required permissions are now added for the endpoints.
Create the Client ID and Client Secret
The final step in configuring the Graph API is creating a Client ID and Client Secret. To create these items, from the Azure Portal:
Select the application created above.
Click Certificates & secrets, and then Client Secrets.
Click New client secret. The “Add a client secret” window appears.
Enter a ‘Description’ for this client secret.
Select the desired expiry period from the ‘Expires’ drop-list.
Click Add.
Copy the ‘Value’ field, which will be used to initialize the beat.