EntraAuthenticationMetrics Module: A PowerShell Module for Visualizing Authentication Methods in Entra Id

Gabriel Delaney

Feb 174 min read

Updated: Feb 23

Understanding how your users authenticate to your systems is crucial for maintaining security. While Entra Id provides various authentication methods, getting a clear picture of their usage across your organization can be challenging. This is where EntraAuthenticationMetrics comes in – a PowerShell module designed to help administrators visualize and track authentication methods, with a particular focus on Phishing-Resistant MFA.

What Problem Does It Solve?

As more organizations adopt a Zero Trust Architecture it’s important to be able to identify users who are using PRMFA. This module simplify analysis of your authentication landscape:

How many users have Phishing-Resistant MFA enabled?
What's the adoption rate of FIDO2 security keys and\or Windows Hello for Business?
Which users are still relying on legacy authentication methods?

While this information exists in Entra ID, it's not easily accessible in a consolidated view. EntraAuthenticationMetrics addresses this by providing an interactive dashboard that makes this data readily available and easy to analyze.

Key Features

The module offers a straightforward way to generate interactive dashboards that show:

Phishing-Resistant MFA Status
- FIDO2 security key usage
- Windows Hello for Business adoption
- Certificate-based authentication deployment
Authentication Method Coverage
- Microsoft Authenticator App
- Software OATH tokens
- Email and phone authentication
- Temporary Access Pass usage
Interactive Analysis Tools
- Real-time user filtering
- Method-specific views
- Comprehensive statistics
- Dark/Light mode for better visibility

Dashboard Examples

The module generates an interactive dashboard that provide comprehensive insights into your authentication metrics:

Comprehensive Authentication Metrics

A user-friendly interface that provides:

Filtering and searching capabilities
Detailed view of Phishing-Resistant MFA status
Method-specific insights

Authentication Statistics Dashboard

A detailed breakdown showing:

Phishing-Resistant MFA adoption
Strong authentication method coverage
Standard and legacy authentication method usage

Installation

The module is available in the PowerShell Gallery and can be installed just like any other standard module:

Install-Module -Name EntraAuthenticationMetrics -Scope CurrentUser 

Import-Module EntraAuthenticationMetrics

Authentication Setup

You have two options for authentication:

Interactive Authentication (Delegated)

For basic dashboard generation, you'll need these Microsoft Graph permissions:

Connect with these permissions using:

Connect-MgGraph -Scopes @("User.Read.All", "GroupMember.Read.All", "UserAuthenticationMethod.Read.All")

App Registration (Required for Email Features)

To enable email functionality, you'll need to set up an application registration:

Go to the Entra Portal and navigate to App Registrations
Create a new registration:
- Name it (e.g., "EntraAuthenticationMetrics")
- Choose single tenant
- Click Register
Configure permissions:
- Navigate to API Permissions
- Add these Microsoft Graph permissions:
  - User.Read.All (Application)
  - GroupMember.Read.All (Application)
  - UserAuthenticationMethod.Read.All (Application)
  - Mail.Send (Application)
- Grant admin consent
Set up credentials:
- Go to Certificates & secrets
- Create a new client secret or upload a certificate
- Save the credentials securely
Connect using the app:

# Using client secret
$client_id = "your-client-id"
$client_secret = "your-client-secret" | ConvertTo-SecureString -AsPlainText -Force
$client_secret_credential = New-Object System.Management.Automation.PSCredential($client_id, $client_secret)
$tenant_id = "your-tenant-id"

Connect-MgGraph -ClientSecretCredential $client_secret_credential -TenantId $tenant_id

# Or using certificate 
Connect-MgGraph -ClientId $client_id -CertificateThumbprint "cert-thumbprint" -TenantId $tenant_id

Basic Usage

The module offers several ways to generate and share authentication insights. Here are the most common use cases:

Dashboard for All Users

For a complete view of authentication methods across your organization:

Invoke-EAMDashboardCreation -AllUsers

Use a Filter to Create a Dashboard

The filter parameter accepts Graph API queries, including advanced queries:

$domain_filter = "endsWith(userPrincipalName,'@contoso.com')" 

Invoke-EAMDashboardCreation -Filter $domain_filter

Security Group Analysis

To analyze authentication methods for members of a specific security group:

$group_id = "12345678-1234-1234-1234-123456789012" 

Invoke-EAMDashboardCreation -GroupId $group_id

Export Report Data

When you need the raw data for analysis or record-keeping:

$report = New-EAMAuthenticationReport -AllUsers 

$report | Export-Csv -Path "auth_methods_report.csv" -NoTypeInformation

Email Distribution

To generate and email a dashboard to your team:

$dashboard_path = "$($PWD)\Entra_Authentication_Metrics_Dashboard.html" 

Invoke-EAMDashboardCreation -AllUsers -InvokeDashboard:$false 

Send-EAMMailMessage -To "security-team@contoso.com" -From "reports@contoso.com" -Subject "Authentication Dashboard" -Body "Dashboard attached" -Attachments $dashboard_path

The Dashboard in Action

The generated dashboard provides several useful views:

Statistics Panel

Quick overview of authentication method adoption
Percentage breakdowns of each method
Visual indicators of strong vs. weak authentication methods

User List View

Searchable user list
Status indicators for each authentication method
Filtering options for enabled/disabled methods

Method-Specific Views

Detailed view for each authentication method
User counts and percentages
Easy identification of gaps in security coverage

Practical Applications

Here are some real-world use cases for the module:

Security Baseline Assessment
- Track progress toward Phishing-Resistant MFA goals
- Identify users still using legacy authentication methods
- Monitor adoption of security key deployments
Migration Planning
- Identify users needing to upgrade authentication methods
- Track progress of authentication method rollouts
- Plan targeted user communications
Compliance Reporting
- Generate authentication method reports for audits
- Track compliance with security policies
- Document authentication method coverage

Things to Keep in Mind

Like any tool, EntraAuthenticationMetrics has some limitations to be aware of:

Certificate Authentication Detection
- The module detects certificate authentication based on the userCertificateIds property in Entra Id
- This may not reflect all certificate mapping configurations
- A warning is displayed by default (can be suppressed with -IgnoreCertificateWarning)
Performance Considerations
- Large environments may experience longer dashboard generation times
- Consider using filters or security groups for better performance
- Progress bars are displayed for longer operations

Getting the Module

The module is open source and available through multiple channels:

Contributing

If you find the module useful and want to contribute, the project is open to:

Bug reports and feature requests through GitHub issues
Pull requests for improvements
Documentation enhancements

Conclusion

EntraAuthenticationMetrics fills a specific need in Entra Id identity and access management – providing clear visibility into authentication method usage. While it's not a complete security solution, it's a practical tool for understanding and improving your organization's authentication landscape.

Whether you're planning a security key deployment, tracking MFA adoption, or preparing for an audit, having clear visibility into your authentication methods is valuable. This module aims to make that visibility more accessible.