gabeluci
Jan 14, 2022Iron Contributor
Status:
New
Microsoft Graph: Add support for "Require re-register MFA"
Currently, "Require re-register MFA" can only be set https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings#manage-user-authentication-options, or via Pow...
PhilippSinger
Nov 14, 2023Copper Contributor
Guys, here's my script how I handle it with MGGraph Powershell Module.
the three methods that need to be cleared are "Microsoft Authenticator", "Phone" and "SoftwareOATH".
As mentioned by MarkF70 you can only clear default method if its the last one. So, the script checks for the error and removes it at the end.
$UserID = "UPN"
# Get Authentication Methods
$MicrosoftAuthenticatorMethods = Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserID $UserID
$PhoneMethods = Get-MgUserAuthenticationPhoneMethod -UserID $UserID
$SoftwareOathMethods = Get-MgUserAuthenticationSoftwareOathMethod -UserID $UserID
# Remove Software OAth Method
foreach ($SoftwareOathMethod in $SoftwareOathMethods){
$SoftwareOathMethodID = $SoftwareOathMethod.id
try {
Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $SoftwareOathMethodID -UserId $UserID -ErrorAction Stop
Write-Host "Successfully removed Software OAth Method" $SoftwareOathMethodID
}
catch {
$DefaultID = $SoftwareOathMethodID
$Method = "SoftwareOAth"
}
}
# Remove Phone Method
foreach ($PhoneMethod in $PhoneMethods){
$PhoneMethodID = $PhoneMethod.id
try {
Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $PhoneMethodID -UserID $UserID -ErrorAction Stop
Write-Host "Successfully removed Phone Method" $PhoneMethodID
}
catch {
$DefaultID = $PhoneMethodID
$Method = "Phone"
}
}
#Remove Microsoft Authenticator Method
foreach ($MicrosoftAuthenticatorMethod in $MicrosoftAuthenticatorMethods){
$MicrosoftAuthenticatorMethodID = $MicrosoftAuthenticatorMethod.id
try {
Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $MicrosoftAuthenticatorMethodID -UserId $UserID -ErrorAction Stop
Write-Host "Successfully removed Microsoft Authenticator Method" $MicrosoftAuthenticatorMethodID
}
catch {
$DefaultID = $MicrosoftAuthenticatorMethodID
$Method = "MicrosoftAuthenticator"
}
}
#Remove DefaultID
if ($Method -like "MicrosoftAuthenticator"){
Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $DefaultID -UserId $UserID
Write-Host "Successfully removed Microsoft Authenticator Method" $DefaultID
}
elseif ($Method -like "Phone"){
Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $DefaultID -UserID $UserID
Write-Host "Successfully removed Phone Method" $DefaultID
}
elseif ($Method -like "SoftwareOAth"){
Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $DefaultID -UserId $UserID
Write-Host "Successfully removed Software OAth Method" $DefaultID
}
Still an upvote from my side as a single command would be much better 🙂
At least, we have a workaround now.