gabeluci's avatar
gabeluci
Iron Contributor
Jan 14, 2022
Status:
New

Microsoft Graph: Add support for "Require re-register MFA"

Currently, "Require re-register MFA" can only be set https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings#manage-user-authentication-options, or via Pow...
Microsoft Graph
PhilippSinger's avatar
PhilippSinger
Copper Contributor
Nov 14, 2023

Guys, here's my script how I handle it with MGGraph Powershell Module.

the three methods that need to be cleared are "Microsoft Authenticator", "Phone" and "SoftwareOATH".

As mentioned by MarkF70 you can only clear default method if its the last one. So, the script checks for the error and removes it at the end.

 

$UserID = "UPN"

    # Get Authentication Methods
    $MicrosoftAuthenticatorMethods = Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserID $UserID
    $PhoneMethods = Get-MgUserAuthenticationPhoneMethod -UserID $UserID
    $SoftwareOathMethods = Get-MgUserAuthenticationSoftwareOathMethod -UserID $UserID

        # Remove Software OAth Method
        foreach ($SoftwareOathMethod in $SoftwareOathMethods){
        $SoftwareOathMethodID = $SoftwareOathMethod.id
            try {
                Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $SoftwareOathMethodID -UserId $UserID -ErrorAction Stop
                Write-Host "Successfully removed Software OAth Method" $SoftwareOathMethodID
            }
            catch {
                $DefaultID = $SoftwareOathMethodID
                $Method = "SoftwareOAth"
            }
        }

        # Remove Phone Method
        foreach ($PhoneMethod in $PhoneMethods){
        $PhoneMethodID = $PhoneMethod.id
            try {   
                Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $PhoneMethodID -UserID $UserID -ErrorAction Stop
                Write-Host "Successfully removed Phone Method" $PhoneMethodID
            }
            catch {
                $DefaultID = $PhoneMethodID
                $Method = "Phone"
            }          
        }

        #Remove Microsoft Authenticator Method
        foreach ($MicrosoftAuthenticatorMethod in $MicrosoftAuthenticatorMethods){
        $MicrosoftAuthenticatorMethodID = $MicrosoftAuthenticatorMethod.id
            try {
                Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $MicrosoftAuthenticatorMethodID -UserId $UserID -ErrorAction Stop
                Write-Host "Successfully removed Microsoft Authenticator Method" $MicrosoftAuthenticatorMethodID
            }
            catch {
                $DefaultID = $MicrosoftAuthenticatorMethodID
                $Method = "MicrosoftAuthenticator"
            }
        }


        #Remove DefaultID

        if ($Method -like "MicrosoftAuthenticator"){
            Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $DefaultID -UserId $UserID
            Write-Host "Successfully removed Microsoft Authenticator Method" $DefaultID
        }

        elseif ($Method -like "Phone"){
            Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $DefaultID -UserID $UserID
            Write-Host "Successfully removed Phone Method" $DefaultID
        }

        elseif ($Method -like "SoftwareOAth"){
            Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $DefaultID -UserId $UserID
            Write-Host "Successfully removed Software OAth Method" $DefaultID
        }

 

 

Still an upvote from my side as a single command would be much better 🙂
At least, we have a workaround now.