Describe the bug
The lastUsedDateTime property on Hardware OATH token devices
remains null even after the token has been actively used for
MFA sign-in.
API endpoint:
GET /beta/directory/authenticationMethodDevices/hardwareOathDevices
The Entra ID sign-in logs confirm the user successfully
authenticated using the hardware OATH token, but the
lastUsedDateTime field on the device object is never updated.
Expected behavior
lastUsedDateTime should be updated to the date and time of
the most recent successful MFA authentication using this token.
How to reproduce
-
Register a Hardware OATH token:
New-MgBetaDirectoryAuthenticationMethodDeviceHardwareOathDevice
-BodyParameter @{ serialNumber="xxx"; secretKey="yyy"; ... }
-
Assign to a user and have the user activate it via
MySecurityInfo (https://mysignins.microsoft.com/security-info)
-
Have the user sign in using the hardware OATH token as MFA.
(Confirmed successful in Entra ID sign-in logs)
-
Query the device:
Invoke-MgGraphRequest -Method GET -Uri `
"https://graph.microsoft.com/beta/directory/
authenticationMethodDevices/hardwareOathDevices
?$filter=serialNumber eq '{serialNumber}'"
-
Observe that lastUsedDateTime is still null.
SDK Version
2.36.1
Latest version known to work for scenario above?
Unknown.
Known Workarounds
None. The sign-in logs API (/auditLogs/signIns) can show whether
a user used hardware OATH for sign-in, but cannot identify which
specific token was used when a user has multiple hardware tokens
registered.
Debug output
No response
Configuration
- OS: Windows Server 2016
- PowerShell: 7.x
- Module: Microsoft.Graph.Beta.Identity.DirectoryManagement 2.36.1
- Authentication: Certificate-based app authentication
- Permissions granted: Policy.ReadWrite.AuthenticationMethod,
UserAuthenticationMethod.ReadWrite.All, User.Read.All
Other information
- Token status confirmed as "activated" via API
- Sign-in logs confirm hardware OATH was used for authentication
- Waited over 12 hours after sign-in: field remains null
- This issue was observed using the PowerShell SDK, but may
originate in the underlying Graph API service.
Describe the bug
The
lastUsedDateTimeproperty on Hardware OATH token devicesremains
nulleven after the token has been actively used forMFA sign-in.
API endpoint:
GET /beta/directory/authenticationMethodDevices/hardwareOathDevices
The Entra ID sign-in logs confirm the user successfully
authenticated using the hardware OATH token, but the
lastUsedDateTimefield on the device object is never updated.Expected behavior
lastUsedDateTimeshould be updated to the date and time ofthe most recent successful MFA authentication using this token.
How to reproduce
Register a Hardware OATH token:
New-MgBetaDirectoryAuthenticationMethodDeviceHardwareOathDevice
-BodyParameter @{ serialNumber="xxx"; secretKey="yyy"; ... }
Assign to a user and have the user activate it via
MySecurityInfo (https://mysignins.microsoft.com/security-info)
Have the user sign in using the hardware OATH token as MFA.
(Confirmed successful in Entra ID sign-in logs)
Query the device:
Invoke-MgGraphRequest -Method GET -Uri `
"https://graph.microsoft.com/beta/directory/
authenticationMethodDevices/hardwareOathDevices
?$filter=serialNumber eq '{serialNumber}'"
Observe that
lastUsedDateTimeis still null.SDK Version
2.36.1
Latest version known to work for scenario above?
Unknown.
Known Workarounds
None. The sign-in logs API (/auditLogs/signIns) can show whether
a user used hardware OATH for sign-in, but cannot identify which
specific token was used when a user has multiple hardware tokens
registered.
Debug output
No response
Configuration
UserAuthenticationMethod.ReadWrite.All, User.Read.All
Other information
originate in the underlying Graph API service.