Last Updated: Dec 4, 2024
Overview
This article provides steps to retrieve a list of users with a specific type of Multi-factor Authentication (MFA) enrollment (One-Time Password (OTP), SMS, etc…).
Applies To
- Multi-factor Authentication (MFA)
- User Reports
Solution
Although not one single endpoint can return this data, there is still a way to retrieve it.
First, query a user via Management API and check if the user.multifactor array is not empty.
There are two ways to accomplish this:
- Use the User search endpoint to fetch all existing users and process the response in the backend by checking if the user profile has items under
user.multifactorarray. For example, this will just say “guardian” if the user is enrolled in any MFA or be empty if they are not.
"multifactor": [
"guardian"
],
- Export all users using the User Export endpoint and process it in a similar way through the backend.
To then check what authenticators the user is enrolled with, make additional calls for each of the users with the /api/v2/users/{id}/authentication-methods endpoint.
The type property will show what authenticators users are enrolled with:
[recovery-code, totp, push, guardian, sms, phone, email, webauthn-roaming, webauthn-platform]
When creating a script, be sure to take account of the rate-limiting headers so the script runs smoothly:
x-ratelimit-limit: The maximum number of requests available in the current time frame.x-ratelimit-remaining: The number of remaining requests in the current time frame.x-ratelimit-reset: A UNIX timestamp of the expected time when the rate limit will reset.