Issue
A Red Canary admin would like to identify users who do not have two factor or MFA enabled. We attempted to run the audit log for enabled and disabled but no users populated.
The admin confirmed their own MFA is enabled.
What is the best method for an admin to verify which users do not have MFA enabled?
Environment
Red Canary
Resolution
An admin may view the status of MFA from the Users & Roles page. By default, MFA is enabled for all users. However, if a user has MFA disabled, the following message will be shown: "Two-factor authentication is not enabled".
Audit logs can also be leveraged with the following actions:
action:"Multi Factor Auth Enabled" and action:"Multi Factor Auth Disabled".
It can be done via the Red Canary API:
To get the full list of Red Canary users, leverage the openapi/v3/managed_portal_users operation.
For each response, under abilities, there is an attribute called "mfa_can_be_disabled". If this value is "false", that means that MFA is not enabled for the user.
"abilities": {
"can_be_removed": true,
"can_be_viewed_in_admin_panel": false,
"mfa_can_be_disabled": true,
"invitation_can_be_resent": false,
"invitation_can_be_cancelled": false
There isn't a way to filter the query to only return these users, but using a JSON to CSV converter (or just reviewing the JSON response), it would be relatively easy to identify the users who do not have MFA enabled.
API call:
curl --location -g --request GET 'https://rcsupport.my.redcanary.co/openapi/v3/managed_portal_users
Comments
0 comments
Please sign in to leave a comment.