In a previous post I listed the means to get the authenticator's metadata of (1) aaGuid, and (2) attestation signatures. As a recap, the MG PowerShell below shows the metata for a user with both yubikey and Microsoft Authenticator's passkey.
$rm = Get-MgUserAuthenticationMethod -UserId someuser@somedomain.onmicrosoft.com
$rm | ForEach-Object {
$auth = $_.AdditionalProperties
if ($auth["@odata.type"] -match "fido2")
{
Write-Host $auth["displayName"] -> $auth["model"]
Write-Host " aaGuid:" $auth["aaGuid"]
$auth["attestationCertificates"] | ForEach-Object {Write-Host " " $_}
}
}
Authenticator: Default Profile -> Microsoft Authenticator - Android
aaGuid: de1e552d-db1d-4423-a619-566b625cdc84
52f7bc999ac1fda8a66583b977efd533231c74c1
cb9ddb7a548985af125ac24d9649861e5be57fff
706aa2ee5426bcc572a9df36634752c1fb2aff1a
yubikey -> Security Key NFC by Yubico
aaGuid: e77e3c64-05e3-428b-8824-0cbeb04b829d
3f8f4f839dae2d157a7f4a365f6fcddf1a650ad1
The FIDO alliance does maintain a metadata database that can be download from https://mds3.fidoalliance.org/, it will download a file called blob.jwt. To read this:
Install-Module -Name JWTDetails -Scope AllUsers
$jwt = Get-Content .\blob.jwt
$jwt | Get-JWTDetails #-- Show the summary
$json = $jwt.entries
#-- It does not contain the Microsoft Authenticator
$msftaaguid = "de1e552d-db1d-4423-a619-566b625cdc84"
$json.entries | where {$_.aaguid -eq $msftaaguid} #-- Returns nothing
#-- But it does have yubikey
$yubikeyaaguid = "e77e3c64-05e3-428b-8824-0cbeb04b829d"
$json.entries | where {$_.aaguid -eq $yubikeyaaguid}
$metadata = ($json.entries | where {$_.aaguid -eq $yubikeyaaguid}).metadataStatement
$metadata | fl
No comments:
Post a Comment