Merge pull request #915 from divya-akula/GetGraphUsers

Get graph users , retrieves unmasked users

Author: pkbullock

scripts/graph-connect-to-graph/assets/sample.json

@@ -55,4 +55,4 @@
       }
     ]
   }
-]
+]

scripts/graph-get-mfa-user-number/README.md

@@ -0,0 +1,300 @@
+# Export Entra ID User MFA Phone Details (Unmasked) to CSV
+
+This PowerShell script enumerates users in Microsoft Entra ID (formerly Azure AD) and retrieves their **Multi-Factor Authentication (MFA) / phone authentication methods** using Microsoft Graph.  
+Unlike standard user directory properties that return **masked** phone numbers, this script queries the **Authentication Phone Methods API**, which returns the **actual configured MFA phone number**, and exports the data to CSV.
+
+This is useful for administrators who need to reconcile MFA phone numbers, validate ownership, or support audit and migration activities.
+
+> ⚠️ **Security Notice**  
+> MFA phone numbers are sensitive data. Ensure correct governance, storage protection, and access controls when running or distributing this script.
+
+
+## ✨ Features
+
+- Retrieves Microsoft Entra ID users  
+- Calls the Graph `authentication/phoneMethods` endpoint to return **unmasked MFA phone numbers**
+- Cleans and normalizes phone numbers (digits-only format included)
+- Supports **app-only authentication** using OAuth2 client credentials
+- Exports structured output to CSV containing:
+  - `DisplayName`
+  - `UserPrincipalName`
+  - `LDAPUserName` (`onPremisesSamAccountName`)
+  - `PhoneNumber`
+  - `CleanedPhone` (digits only)
+
+---
+
+## 🔐 Required Microsoft Graph Permissions (Application / App-Only)
+
+Create an App Registration and grant **admin-consented** Graph API permissions such as:
+
+- `AuthenticationMethod.Read.All`  
+  **or**
+- `AuthenticationMethods.Read.All`
+- `User.Read.All`
+- `Directory.Read.All`
+
+> Use least-privilege permissions and validate in a non-production tenant first.
+
+## 🧰 Prerequisites
+
+- **PowerShell 7+ (recommended)**
+- Install required modules:
+
+```powershell
+Install-Module -Name Microsoft.Graph -Scope CurrentUser -AllowClobber
+Install-Module -Name PnP.PowerShell -Scope CurrentUser
+```
+
+- An Azure AD application with the required application permissions (granted by an administrator).
+- Suggested Graph application permissions (app-only) you'll likely need:
+  - Authentication Methods / phone read permission (e.g., AuthenticationMethods.Read.All or AuthenticationMethods.ReadWrite.All) — grant admin consent.
+  - User read permissions (User.Read.All) — grant admin consent.
+  - Directory.Read.All - grant admin consent
+
+Note: permission names sometimes vary between SDKs and portal UI; grant the minimal required app permissions and test in a non-production tenant first.
+
+## ⚙️ Authentication & Security
+
+The script securely prompts for the following values at runtime:
+
+- **Tenant ID**
+- **Client ID**
+- **Client Secret**
+- **Output CSV path**
+
+No credentials or secrets are stored in the script.
+
+Authentication is performed using the **OAuth2 client credentials flow** against Microsoft Graph.
+
+> 🔐 **Security Best Practice**  
+> Use least-privileged access, store secrets securely, and rotate credentials regularly.
+
+---
+
+## ▶️ How It Works
+
+1. Authenticates to Microsoft Graph using the App Registration  
+2. Retrieves users via:
+
+   ```powershell
+   Get-MgUser
+   ```
+3. Queries each user’s authentication phone methods using:
+   https://graph.microsoft.com/v1.0/users/{id}/authentication/phoneMethods
+4. Extracts the configured MFA phone number(s)
+
+5. Normalizes phone values (including a digits-only variant)
+
+6. Exports the results to CSV
+
+---
+
+## 📄 Output Columns
+
+| Column | Description |
+|--------|-------------|
+| **DisplayName** | User display name |
+| **UserPrincipalName** | Sign-in name |
+| **LDAPUserName** | `onPremisesSamAccountName` |
+| **PhoneNumber** | Full MFA phone number |
+| **CleanedPhone** | Digits-only version of the phone |
+
+Additional properties such as `@odata.type` may be included if required.
+
+---
+
+## ▶️ Running the Script
+
+Run the script in PowerShell:
+
+```powershell
+.\Export-UserMfaPhoneDetails.ps1
+```
+## 🛠 Troubleshooting
+
+- **No phone number returned**  
+  The user does not have any phone-based MFA method configured.
+
+- **403 – Permission Denied**  
+  Verify that the App Registration has the required **admin-consented** Microsoft Graph permissions.
+
+- **Rate limiting / throttling**  
+  For large tenants, implement retry logic with exponential back-off when calling Microsoft Graph.
+
+- **Masked phone values appear**  
+  Ensure the script is querying the **Authentication Phone Methods API** and not user profile attributes.
+
+---
+
+## 🔄 Suggested Enhancements
+
+- Replace raw REST calls with Microsoft Graph PowerShell SDK equivalents
+- Secure credentials using environment variables or Azure Key Vault
+- Add structured logging and verbose tracing
+- Introduce paging and server-side filtering to limit user scope
+- Implement retry and resilience policies for Graph calls
+- Optionally upsert results into a SharePoint List
+
+---
+
+## 🛡 Governance & Data Handling
+
+Because this script retrieves **unmasked MFA phone numbers**, ensure that:
+
+- Script execution is restricted to authorized administrators
+- Exported CSV files are encrypted and stored securely
+- Data retention policies are followed
+- Script usage and access are auditable
+
+Treat MFA phone numbers as **confidential information**.
+
+---
+
+## 📝 Script 
+
+# [Microsoft Graph PowerShell](#tab/graphps)
+
+```powershell
+<#
+.SYNOPSIS
+    Export Entra ID user MFA phone details (unmasked) to CSV.
+
+.DESCRIPTION
+    Retrieves MFA phone authentication methods from Microsoft Graph
+    using app-only authentication and exports the full MFA phone number
+    along with user metadata to CSV.
+
+    Warning: Output contains sensitive authentication data.
+#>
+
+# ================================
+# Get access token (interactive)
+# ================================
+function Get-UserToken {
+    # Read from user
+    $TenantId  = Read-Host "Enter Tenant Id (Directory Id / GUID)"
+    $ClientId  = Read-Host "Enter Client Id (App Registration Id)"
+    $SecSecret = Read-Host "Enter Client Secret" 
+
+    # Convert secure string to plain text for token request
+    $Body = @{ 
+        grant_type    = "client_credentials"
+        scope         = "https://graph.microsoft.com/.default"
+        client_id     = $ClientId
+        client_secret = $SecSecret
+    }
+
+    try {
+        $TokenResponse = Invoke-RestMethod -Method Post `
+            -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" `
+            -Body $Body -ErrorAction Stop
+
+        $AccessToken = $TokenResponse.access_token
+        Write-Host "Access Token Obtained Successfully" -ForegroundColor Green
+        return $AccessToken
+    }
+    catch {
+        Write-Error "Failed to obtain access token: $($_.Exception.Message)"
+        throw
+    }
+}
+
+# ================================
+# Export MFA phone details to CSV
+# ================================
+function Export-UserMfaPhoneDetailsToCsv {
+    param (
+        [Parameter(Mandatory)]
+        [string]$AccessToken,
+
+        [Parameter(Mandatory)]
+        [string]$OutputPath
+    )
+
+    $headers = @{
+        Authorization = "Bearer $AccessToken"
+        'Content-Type' = 'application/json'
+    }
+
+    # Helper: clean phone (digits only)
+    function CleanPhone {
+        param([string]$p)
+        if ([string]::IsNullOrWhiteSpace($p)) { return '' }
+        return ($p.ToCharArray() | Where-Object { [char]::IsDigit($_) }) -join ''
+    }
+
+    # Get all users (UPN starts with 'T')
+    $users = Get-MgUser -All -Property "displayName,userPrincipalName,onPremisesSamAccountName,Id" 
+         Write-Host "Retrieved $($users.Count) users from Graph" -ForegroundColor Cyan
+
+    $results = @()
+
+    foreach ($u in $users) {
+        $userId      = $u.id
+        $displayName = $u.displayName
+        $upn         = $u.userPrincipalName
+        $ldapUser    = $u.onPremisesSamAccountName   # This is your LDAP username
+
+        $pmUrl = "https://graph.microsoft.com/v1.0/users/$([uri]::EscapeDataString($userId))/authentication/phoneMethods"
+        try {
+            $pm = Invoke-RestMethod -Headers $headers -Uri $pmUrl -Method Get -ErrorAction Stop
+        }
+        catch {
+            Write-Verbose "Failed phoneMethods for $upn : $($_.Exception.Message)"
+            continue
+        }
+       # Write-Host $pm.value
+        if (-not $pm.value) {
+            # No phone methods: still record the user if you want them in the CSV
+            $results += [PSCustomObject]@{
+                DisplayName       = $displayName
+                UserPrincipalName = $upn
+                LDAPUserName      = $ldapUser
+                PhoneNumber       = $null
+                CleanedPhone      = $null
+            }
+            continue
+        }
+
+        foreach ($m in $pm.value) {
+            $phone      = $m.phoneNumber
+            $cleaned    = CleanPhone $phone
+
+            $results += [PSCustomObject]@{
+                DisplayName       = $displayName
+                UserPrincipalName = $upn
+                LDAPUserName      = $ldapUser
+                PhoneNumber       = $phone
+                CleanedPhone      = $cleaned
+            }
+        }
+    }
+
+    # Write to CSV
+    $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
+    Write-Host $results.Count
+    Write-Host "Exported $($results.Count) rows to $OutputPath" -ForegroundColor Green
+}
+
+# ================================
+# Main
+# ================================
+$token = Get-UserToken
+
+$outputPath = Read-Host "Enter full path for CSV output (e.g. C:\Temp\MfaUserData.csv)"
+
+Export-UserMfaPhoneDetailsToCsv -AccessToken $token -OutputPath $outputPath
+```
+
+[!INCLUDE [More about Microsoft Graph PowerShell SDK](../../docfx/includes/MORE-GRAPHSDK.md)]
+***
+
+## Contributors
+
+| Author(s) |
+|-----------|
+| [Divya Akula](https://github.com/divya-akula)|
+
+[!INCLUDE [DISCLAIMER](../../docfx/includes/DISCLAIMER.md)]
+<img src="https://m365-visitor-stats.azurewebsites.net/script-samples/scripts/graph-get-mfa-user-number" aria-hidden="true" />

scripts/graph-get-mfa-user-number/assets/example.png

@@ -0,0 +1,26 @@
+DisplayName,UserPrincipalName,LDAPUserName,PhoneNumber,CleanedPhone
+Adele Vance,AdeleV@5kswv1.onmicrosoft.com,,,
+Divya Akula,akula.divya_gmail.com#EXT#@5kswv1.onmicrosoft.com,,,
+Alex Wilber,AlexW@5kswv1.onmicrosoft.com,,,
+Diego Siciliani,DiegoS@5kswv1.onmicrosoft.com,,,
+Dinesh Akula,DineshAkula@5kswv1.onmicrosoft.com,,,
+Divya Akula,divya.akula_tarento.com#EXT#@5kswv1.onmicrosoft.com,,,
+Divya Akula,divya@5kswv1.onmicrosoft.com,,+91 99999999,919999999999
+Divya Akula,divyaakula_m365devtoy.onmicrosoft.com#EXT#@5kswv1.onmicrosoft.com,,,
+Grady Archie,GradyA@5kswv1.onmicrosoft.com,,,
+Hajira  Begum,hajira.begum_tarento.com#EXT#@5kswv1.onmicrosoft.com,,,
+Hajira,Hajira@5kswv1.onmicrosoft.com,,,
+Henrietta Mueller,HenriettaM@5kswv1.onmicrosoft.com,,,
+Isaiah Langer,IsaiahL@5kswv1.onmicrosoft.com,,,
+Johanna Lorenz,JohannaL@5kswv1.onmicrosoft.com,,,
+Joni Sherman,JoniS@5kswv1.onmicrosoft.com,,,
+Lee Gu,LeeG@5kswv1.onmicrosoft.com,,,
+Lidia Holloway,LidiaH@5kswv1.onmicrosoft.com,,,
+Lynne Robbins,LynneR@5kswv1.onmicrosoft.com,,,
+Megan Bowen,MeganB@5kswv1.onmicrosoft.com,,,
+Miriam Graham,MiriamG@5kswv1.onmicrosoft.com,,,
+Nestor Wilke,NestorW@5kswv1.onmicrosoft.com,,,
+Patti Fernandez,PattiF@5kswv1.onmicrosoft.com,,,
+User,powerplatform_devtarento.onmicrosoft.com#EXT#@5kswv1.onmicrosoft.com,,,
+Pradeep Gupta,PradeepG@5kswv1.onmicrosoft.com,,,
+test user,testuer@5kswv1.onmicrosoft.com,,,

scripts/graph-get-mfa-user-number/assets/preview.png

@@ -0,0 +1,61 @@
+[
+  {
+    "name": "graph-get-mfa-user-number",
+    "source": "pnp",
+    "title": "Export Entra ID User MFA Phone Details (Unmasked) to CSV",
+    "shortDescription": "This PowerShell script enumerates users in Microsoft Entra ID (formerly Azure AD) and retrieves their **Multi-Factor Authentication (MFA) / phone authentication methods** using Microsoft Graph.",
+    "url": "https://pnp.github.io/script-samples/graph-get-mfa-user-number/README.html",
+    "longDescription": [
+      ""
+    ],
+    "creationDateTime": "2026-01-10",
+    "updateDateTime": "2026-01-10",
+    "products": [
+      "Graph"
+    ],
+    "metadata": [
+      {
+        "key": "PNP-POWERSHELL",
+        "value": "1.11.0"
+      },
+      {
+        "key": "GRAPH-POWERSHELL",
+        "value": "1.0.0"
+      }
+    ],
+    "categories": [
+      "Report"
+    ],
+    "tags": [
+      "<Cmdlets-Used>"
+    ],
+    "thumbnails": [
+      {
+        "type": "image",
+        "order": 100,
+        "url": "https://raw.githubusercontent.com/pnp/script-samples/main/scripts/graph-get-mfa-user-number/assets/preview.png",
+        "alt": "Preview of the sample Export Entra ID User MFA Phone Details (Unmasked) to CSV"
+      }
+    ],
+    "authors": [
+      {
+        "gitHubAccount": "divya-akula",
+        "company": "",
+        "pictureUrl": "https://github.com/divya-akula.png",
+        "name": "Divya Akula"
+      }
+    ],
+    "references": [
+      {
+        "name": "Want to learn more about PnP PowerShell and the cmdlets",
+        "description": "Check out the PnP PowerShell site to get started and for the reference to the cmdlets.",
+        "url": "https://aka.ms/pnp/powershell"
+      },
+      {
+        "name": "Want to learn more about Microsoft Graph PowerShell SDK and the cmdlets",
+        "description": "Check out the Microsoft Graph PowerShell SDK documentation site to get started and for the reference to the cmdlets.",
+        "url": "https://learn.microsoft.com/graph/powershell/get-started"
+      }
+    ]
+  }
+]