Forum Discussion

Han Valk's avatar
Han Valk
Copper Contributor
Jul 23, 2017

Force a user to re-register with Azure AD Self Service Password Reset

Is there a way to force a user to re-register with the Azure AD Self Service Password Reset as if he/she has never registered before?

Is there a way to remove the registration of a specific user or re-initialise a specific user?

 

 

  • Dusty's avatar
    Dusty
    Copper Contributor
    Things have changed a lot since this question was asked but I'm also attempting to solve it.
    Microsoft has combined enrollment for SSPR with MFA. Now a user will enroll for both at the same time.
    https://techcommunity.microsoft.com/t5/azure-active-directory-identity/combined-registration-for-azure-ad-mfa-and-self-service-password/ba-p/245454

    This has caused confusion in where the methods are configured for the users,

    I've found ways to force a user to re-register their MFA methods.
    In my case, users have successfully enrolled for MFA and have the state of Enforced.

    They are not setup for SSPR yet however. I want to trigger only that enrollment process but it doesn't seem possible now that the MFA and SSPR enrollments are combined.
  • Jim Bryson's avatar
    Jim Bryson
    Copper Contributor

    Han Valk

     

    I was trying to do the same task, force a user to re-register for SSPR in a lab tenant.  I was able to do so by removing values from the AAD user.

     

    Get-MsolUser -UserPrincipalName user@domain.com | select AlternateEmailAddresses

    Get-MsolUser -UserPrincipalName user@domain.com | select MobilePhone

    Get-MsolUser -UserPrincipalName user@domain.com | select PhoneNumber

     

    After I removed data from all 3 properties, the user could no longer do SSPR.  When the user goes to https://aka.ms/ssprsetup, they are prompted to register (after a successful sign-in).

    • Micki Wulffeld's avatar
      Micki Wulffeld
      Brass Contributor

      I Found A solution to this :)

       

      # /MWU
      # First connect to your tenant (as you use to do it)
      # Output from my connect tenant function
      # cat function:Connect-O365-PROD

      # Actual Connect-O365-PROD function
      Get-PSSession | Remove-PSSession
      $PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
      #Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
      Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
      Connect-MsolService -Credential $PRODAdminCred
      ##################Forget above if you are Pro :)#######################################


      #Selected user in cloud
      $Userpricipalname = "abc@org.com"

      #Get settings for a user with exsisting auth data
      $User = Get-MSolUser -UserPrincipalName $Userpricipalname
      # Viewing default method
      $User.StrongAuthenticationMethods

       


      # Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
      $m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
      $m1.IsDefault = $false
      $m1.MethodType="OneWaySMS"

      $m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
      $m2.IsDefault = $false
      $m2.MethodType="TwoWayVoiceMobile"


      $m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
      $m3.IsDefault = $false
      $m3.MethodType="PhoneAppOTP"


      $m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
      $m4.IsDefault = $True
      $m4.MethodType="PhoneAppNotification"

      # To set the users default method for doing second factor
      #$m=@($m1,$m2,$m3,$m4)

      # To force user ONLY to re-register without clearing their phonenumber or App shared secret.
      $m=@()

      # Set command to define new settings
      set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m

       

      #Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
      $User = Get-MSolUser -UserPrincipalName $Userpricipalname
      $User.StrongAuthenticationMethods

  • Han Valk's avatar
    Han Valk
    Copper Contributor
    Clearing the attributes like Vasil suggested does not force a user to re-register.

Resources