Problem statement
How can a list of users be retrieved with a specific type of MFA enrollment (otp, sms, etc…)?
Solution
There is a single endpoint that will be able to return this data, but there is still a way to retrieve it.
First, query a user via Management API and check if the user.multifactor
array is not empty.
There are two ways to accomplish this:
- Use the User search endpoint to fetch all existing users and process the response in the backend by checking if the user profile has items under
user.multifactor
array, e.g.: This will actually just say “guardian” if the user is enrolled in any MFA, or be empty if they are not.
"multifactor": [
"guardian"
],
- Export all users using the User Export endpoint and process it in a similar way through the backend.
To then check what authenticators user is enrolled with, make additional calls for each of the users with the /api/v2/users/{id}/authentication-methods endpoint.
The type
property will show what authenticators users are enrolled with:
[recovery-code, totp, push, guardian, sms, phone, email, webauthn-roaming, webauthn-platform]
There is no single endpoint with this data because the MFA details reside in a database different from where the users reside.
When creating a script, be sure to take account of the rate-limiting headers so the script runs smoothly:
x-ratelimit-limit
: The maximum number of requests available in the current time frame.x-ratelimit-remaining
: The number of remaining requests in the current time frame.x-ratelimit-reset
: A UNIX timestamp of the expected time when the rate limit will reset.