Forum Discussion
Han Valk
Jul 23, 2017Copper Contributor
Force a user to re-register with Azure AD Self Service Password Reset
Is there a way to force a user to re-register with the Azure AD Self Service Password Reset as if he/she has never registered before?
Is there a way to remove the registration of a specific user or re-initialise a specific user?
- DustyCopper ContributorThings have changed a lot since this question was asked but I'm also attempting to solve it.
Microsoft has combined enrollment for SSPR with MFA. Now a user will enroll for both at the same time.
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/combined-registration-for-azure-ad-mfa-and-self-service-password/ba-p/245454
This has caused confusion in where the methods are configured for the users,
I've found ways to force a user to re-register their MFA methods.
In my case, users have successfully enrolled for MFA and have the state of Enforced.
They are not setup for SSPR yet however. I want to trigger only that enrollment process but it doesn't seem possible now that the MFA and SSPR enrollments are combined.- HeinzDCopper ContributorHi all, same problem here...
- Fernando GualanoCopper ContributorSame problem! Any update?
- Jim BrysonCopper Contributor
I was trying to do the same task, force a user to re-register for SSPR in a lab tenant. I was able to do so by removing values from the AAD user.
Get-MsolUser -UserPrincipalName user@domain.com | select AlternateEmailAddresses
Get-MsolUser -UserPrincipalName user@domain.com | select MobilePhone
Get-MsolUser -UserPrincipalName user@domain.com | select PhoneNumber
After I removed data from all 3 properties, the user could no longer do SSPR. When the user goes to https://aka.ms/ssprsetup, they are prompted to register (after a successful sign-in).
- Micki WulffeldBrass Contributor
I Found A solution to this :)
# /MWU
# First connect to your tenant (as you use to do it)
# Output from my connect tenant function
# cat function:Connect-O365-PROD# Actual Connect-O365-PROD function
Get-PSSession | Remove-PSSession
$PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
#Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
Connect-MsolService -Credential $PRODAdminCred
##################Forget above if you are Pro :)#######################################
#Selected user in cloud
$Userpricipalname = "abc@org.com"#Get settings for a user with exsisting auth data
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
# Viewing default method
$User.StrongAuthenticationMethods
# Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="OneWaySMS"$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="TwoWayVoiceMobile"
$m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m3.IsDefault = $false
$m3.MethodType="PhoneAppOTP"
$m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m4.IsDefault = $True
$m4.MethodType="PhoneAppNotification"# To set the users default method for doing second factor
#$m=@($m1,$m2,$m3,$m4)# To force user ONLY to re-register without clearing their phonenumber or App shared secret.
$m=@()# Set command to define new settings
set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m#Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
$User.StrongAuthenticationMethods
- Han ValkCopper ContributorClearing the attributes like Vasil suggested does not force a user to re-register.
Hi !
Review your eligible accounts.
Get-MsolUser -UserPrincipalName admin@soft.onmicrosoft.com | select PasswordNeverExpiresMore about passwords and password expiration policies
https://support.office.com/en-us/article/Change-how-often-passwords-expire-in-Office-365-for-Small-Business-d479e71a-f59d-4b2c-9036-755f7b0ff7cf?omkt=en-US&ui=en-US&rs=en-US&ad=US- Han ValkCopper Contributor
My question has nothing to do with password expiring.
- Charles DerberBrass Contributor
Hi Han,
Did you tried following by clearing the user data what Vasil suggested?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-data
May be a new user you could try and test.
You can clear the SSPR data via PowerShell, the relevant attributes are listed here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-data
- Dean_GrossSilver Contributor
If they have not registered, re-registration does not seem applicable to me so I'm a little bit confused by your question, but you may find this helpful https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-data