Microsoft Graph: Add support for "Require re-register MFA"

It appears that Microsoft has released a new Entra PowerShell module that uses Graph API. There's this command:

Reset-EntraStrongAuthenticationMethodByUpn

However, it doesn't seem to do anything. Anyone had any luck with that?

The new undocumented endpoint is the solution but its in alpha and usage is restricted to whitelisted apps.

Any update? I really need it badly!

Following the above comment the new graph endpoint seems to be 

https://graph.microsoft.com/beta/users/{UserID}/authentication/methods/resetTraditionalAuthenticationMethods

This returns a 204 when invoked via the Entra ID portal but so far I've been unable to call this endpoint outside of there e.g. postman. I am still trying to figure out which permissions would be required...

{
    "error": {
        "code": "accessDenied",
        "message": "Request Authorization failed",
        "innerError": {
            "message": "Request Authorization failed",
            "date": "2024-01-12T09:45:39",
            "request-id": "X",
            "client-request-id": "X"
        }
    }
}

Everyone reading, open devtools and click require re-register, there's a Graph call there since about a week or two!

Guys, here's my script how I handle it with MGGraph Powershell Module.

the three methods that need to be cleared are "Microsoft Authenticator", "Phone" and "SoftwareOATH".

As mentioned by MarkF70 you can only clear default method if its the last one. So, the script checks for the error and removes it at the end.

$UserID = "UPN"

    # Get Authentication Methods
    $MicrosoftAuthenticatorMethods = Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserID $UserID
    $PhoneMethods = Get-MgUserAuthenticationPhoneMethod -UserID $UserID
    $SoftwareOathMethods = Get-MgUserAuthenticationSoftwareOathMethod -UserID $UserID

        # Remove Software OAth Method
        foreach ($SoftwareOathMethod in $SoftwareOathMethods){
        $SoftwareOathMethodID = $SoftwareOathMethod.id
            try {
                Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $SoftwareOathMethodID -UserId $UserID -ErrorAction Stop
                Write-Host "Successfully removed Software OAth Method" $SoftwareOathMethodID
            }
            catch {
                $DefaultID = $SoftwareOathMethodID
                $Method = "SoftwareOAth"
            }
        }

        # Remove Phone Method
        foreach ($PhoneMethod in $PhoneMethods){
        $PhoneMethodID = $PhoneMethod.id
            try {   
                Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $PhoneMethodID -UserID $UserID -ErrorAction Stop
                Write-Host "Successfully removed Phone Method" $PhoneMethodID
            }
            catch {
                $DefaultID = $PhoneMethodID
                $Method = "Phone"
            }          
        }

        #Remove Microsoft Authenticator Method
        foreach ($MicrosoftAuthenticatorMethod in $MicrosoftAuthenticatorMethods){
        $MicrosoftAuthenticatorMethodID = $MicrosoftAuthenticatorMethod.id
            try {
                Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $MicrosoftAuthenticatorMethodID -UserId $UserID -ErrorAction Stop
                Write-Host "Successfully removed Microsoft Authenticator Method" $MicrosoftAuthenticatorMethodID
            }
            catch {
                $DefaultID = $MicrosoftAuthenticatorMethodID
                $Method = "MicrosoftAuthenticator"
            }
        }


        #Remove DefaultID

        if ($Method -like "MicrosoftAuthenticator"){
            Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $DefaultID -UserId $UserID
            Write-Host "Successfully removed Microsoft Authenticator Method" $DefaultID
        }

        elseif ($Method -like "Phone"){
            Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $DefaultID -UserID $UserID
            Write-Host "Successfully removed Phone Method" $DefaultID
        }

        elseif ($Method -like "SoftwareOAth"){
            Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $DefaultID -UserId $UserID
            Write-Host "Successfully removed Software OAth Method" $DefaultID
        }

Still an upvote from my side as a single command would be much better 🙂
At least, we have a workaround now.

Currently using the deprecated MSOL method via a runbook to achieve this and, because there are so many new methods since the days of MSOL, I also use Graph to identify and clear those at the user's request.

Would love to get it all under one module rather than have to rely on deprecated modules to manage half a million accounts with MFA along with all their little issues with replacing devices, etc.

up-vote 

I too would like a rest endpoint to /requireReregister

POST https://graph.microsoft.com/beta/users/{id | userPrincipalName }/authentication/methods/requireReregister

While we can add powershell support to our existing automations, I would prefer not to deploy a deprecating solution.

Adding in my support for this!

I'd also like to add my support for this function in Microsoft Graph!