Microsoft Graph: Add support for "Require re-register MFA"
Currently, "Require re-register MFA" can only be set https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings#manage-user-authentication-options, or via PowerShell using:
Set-MsolUser -UserPrincipalName username -StrongAuthenticationMethods @()
Please add support for this in the Microsoft Graph API.
34 Comments
- duscu2Copper Contributor
It appears that Microsoft has released a new Entra PowerShell module that uses Graph API. There's this command:
Reset-EntraStrongAuthenticationMethodByUpn
However, it doesn't seem to do anything. Anyone had any luck with that? - rvdwegenCopper Contributor
The new undocumented endpoint is the solution but its in alpha and usage is restricted to whitelisted apps.
- OscarccCopper Contributor
Any update? I really need it badly!
- DanNewtonCopper Contributor
Following the above comment the new graph endpoint seems to be
https://graph.microsoft.com/beta/users/{UserID}/authentication/methods/resetTraditionalAuthenticationMethods
This returns a 204 when invoked via the Entra ID portal but so far I've been unable to call this endpoint outside of there e.g. postman. I am still trying to figure out which permissions would be required...
{ "error": { "code": "accessDenied", "message": "Request Authorization failed", "innerError": { "message": "Request Authorization failed", "date": "2024-01-12T09:45:39", "request-id": "X", "client-request-id": "X" } } }
- rvdwegenCopper Contributor
Everyone reading, open devtools and click require re-register, there's a Graph call there since about a week or two!
- PhilippSingerCopper Contributor
Guys, here's my script how I handle it with MGGraph Powershell Module.
the three methods that need to be cleared are "Microsoft Authenticator", "Phone" and "SoftwareOATH".
As mentioned by MarkF70 you can only clear default method if its the last one. So, the script checks for the error and removes it at the end.$UserID = "UPN" # Get Authentication Methods $MicrosoftAuthenticatorMethods = Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserID $UserID $PhoneMethods = Get-MgUserAuthenticationPhoneMethod -UserID $UserID $SoftwareOathMethods = Get-MgUserAuthenticationSoftwareOathMethod -UserID $UserID # Remove Software OAth Method foreach ($SoftwareOathMethod in $SoftwareOathMethods){ $SoftwareOathMethodID = $SoftwareOathMethod.id try { Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $SoftwareOathMethodID -UserId $UserID -ErrorAction Stop Write-Host "Successfully removed Software OAth Method" $SoftwareOathMethodID } catch { $DefaultID = $SoftwareOathMethodID $Method = "SoftwareOAth" } } # Remove Phone Method foreach ($PhoneMethod in $PhoneMethods){ $PhoneMethodID = $PhoneMethod.id try { Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $PhoneMethodID -UserID $UserID -ErrorAction Stop Write-Host "Successfully removed Phone Method" $PhoneMethodID } catch { $DefaultID = $PhoneMethodID $Method = "Phone" } } #Remove Microsoft Authenticator Method foreach ($MicrosoftAuthenticatorMethod in $MicrosoftAuthenticatorMethods){ $MicrosoftAuthenticatorMethodID = $MicrosoftAuthenticatorMethod.id try { Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $MicrosoftAuthenticatorMethodID -UserId $UserID -ErrorAction Stop Write-Host "Successfully removed Microsoft Authenticator Method" $MicrosoftAuthenticatorMethodID } catch { $DefaultID = $MicrosoftAuthenticatorMethodID $Method = "MicrosoftAuthenticator" } } #Remove DefaultID if ($Method -like "MicrosoftAuthenticator"){ Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $DefaultID -UserId $UserID Write-Host "Successfully removed Microsoft Authenticator Method" $DefaultID } elseif ($Method -like "Phone"){ Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $DefaultID -UserID $UserID Write-Host "Successfully removed Phone Method" $DefaultID } elseif ($Method -like "SoftwareOAth"){ Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $DefaultID -UserId $UserID Write-Host "Successfully removed Software OAth Method" $DefaultID }
Still an upvote from my side as a single command would be much better 🙂
At least, we have a workaround now. - KevinPinelBrass Contributor
Currently using the deprecated MSOL method via a runbook to achieve this and, because there are so many new methods since the days of MSOL, I also use Graph to identify and clear those at the user's request.
Would love to get it all under one module rather than have to rely on deprecated modules to manage half a million accounts with MFA along with all their little issues with replacing devices, etc.
- ds-tdxCopper Contributor
up-vote
I too would like a rest endpoint to /requireReregister
POST https://graph.microsoft.com/beta/users/{id | userPrincipalName }/authentication/methods/requireReregister
While we can add powershell support to our existing automations, I would prefer not to deploy a deprecating solution.
- yogeshasalkar777Copper Contributor
Adding in my support for this!
- theMichaelCopper Contributor
I'd also like to add my support for this function in Microsoft Graph!