%3CLINGO-SUB%20id%3D%22lingo-sub-1257359%22%20slang%3D%22en-US%22%3EManage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257359%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99ve%20had%20a%20ton%20of%20requests%20for%20APIs%20to%20manage%20users%E2%80%99%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-authentication-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eauthentication%20methods%3C%2FA%3E.%20That%E2%80%99s%20why%20it%20is%20so%20cool%20that%20today%20I%20get%20to%20announce%20that%20the%20first%20set%20of%20these%20APIs%20has%20reached%20beta%20in%20Microsoft%20Graph!%20Michael%20McLaughlin%2C%20one%20of%20our%20Identity%20team%20program%20managers%2C%20has%20written%20a%20guest%20blog%20post%20with%20information%20about%20the%20new%20APIs%20and%20how%20to%20get%20started.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20may%20have.%20Please%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20on%20the%20Azure%20Active%20Directory%20(Azure%20AD)%20feedback%20forum.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20Regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%3C%2FP%3E%0A%3CP%3ECorporate%20Vice%20President%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%0A%3CP%3E---------------------------------------%3C%2FP%3E%0A%3CP%3EHi%20everyone%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20thrilled%20to%20tell%20you%20about%20the%20new%20Azure%20AD%20authentication%20method%20APIs.%20These%20APIs%20are%20a%20key%20tool%20to%20manage%20your%20users%E2%80%99%20authentication%20methods.%20Now%20you%20can%20programmatically%20pre-register%20and%20manage%20the%20authenticators%20used%20for%20MFA%20and%20self-service%20password%20reset%20(SSPR).%20This%20has%20been%20one%20of%20the%20most-requested%20features%20in%20the%20Azure%20MFA%2C%20SSPR%2C%20and%20Microsoft%20Graph%20spaces.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20new%20APIs%20we%E2%80%99ve%20released%20in%20this%20wave%20give%20you%20the%20ability%20to%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERead%2C%20add%2C%20update%2C%20and%20remove%20a%20user%E2%80%99s%20authentication%20phones.%3C%2FLI%3E%0A%3CLI%3EReset%20a%20user%E2%80%99s%20password.%3C%2FLI%3E%0A%3CLI%3ETurn%20on%20and%20off%20SMS%20sign-in.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWe%20will%20be%20adding%20support%20for%20all%20authentication%20methods%20in%20the%20coming%20months.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20come%20at%20a%20crucial%20time.%20The%20shift%20to%20remote%20work%20driven%20by%20the%20COVID-19%20pandemic%20has%20created%20unique%20complications%20for%20getting%20users%20registered%20for%20MFA%20and%20SSPR.%20Admins%20tell%20us%20that%20they%20don%E2%80%99t%20want%20users%20registering%20from%20potentially%20unsafe%20locations%2C%20but%20they%20do%20need%20to%20get%20users%20registered%20as%20soon%20as%20possible%20to%20get%20them%20protected.%20These%20APIs%20give%20you%20the%20ability%20to%20register%20your%20users%20and%20set%20them%20up%20to%20do%20MFA%20via%20SMS%20immediately%20without%20requiring%20them%20to%20register%20themselves%20from%20beyond%20your%20corporate%20network.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20APIs%20can%20be%20called%20by%20Global%20administrators%2C%20%3CSTRONG%3EPrivileged%20authentication%3C%2FSTRONG%3E%20administrators%2C%20%3CSTRONG%3EAuthentication%3C%2FSTRONG%3E%20administrators%20(recommended)%2C%20and%20%3CSTRONG%3EGlobal%20readers%3C%2FSTRONG%3E%20(can%20only%20use%20the%20read%20APIs).%20The%20ability%20to%20manage%20other%20users%E2%80%99%20authentication%20methods%20is%20very%20powerful%2C%20so%20be%20sure%20to%20require%20MFA%20for%20these%20roles!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%E2%80%99s%20an%20example%20of%20adding%20a%20phone%20number%20for%20a%20user%20by%20posting%20to%20a%20user%E2%80%99s%20phone%20methods%20URL%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%2F%253cUPN%253e%2Fauthentication%2FphoneMethods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%2F%3CUPN%3E%2Fauthentication%2FphoneMethods%3C%2FUPN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20body%2C%20you%20pass%20in%20the%20type%20of%20phone%20(for%20example%2C%20%E2%80%9Cmobile%E2%80%9D)%20and%20the%20number%2C%20and%20in%20the%20response%20you%20get%20back%20the%20full%20phone%20number%20entity%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22API.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195113iF6B9889BBD7DD269%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22API.png%22%20alt%3D%22API.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20out%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2130302%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20tutorial%3C%2FA%3E%20to%20get%20you%20started%2C%20and%20to%20learn%20more%2C%20check%20out%20the%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2128078%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20authentication%20methods%20API%20overview%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20reading.%20We%20hope%20these%20APIs%20help%20you%20in%20the%20work%20you%E2%80%99re%20doing%20today%2C%20and%20we%E2%80%99re%20hard%20at%20work%20expanding%20the%20range%20of%20authentication%20method%20APIs%20available%20to%20make%20them%20even%20more%20useful%20for%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20the%20best%2C%3C%2FP%3E%0A%3CP%3EMichael%20McLaughlin%3C%2FP%3E%0A%3CP%3EProgram%20Manager%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1257359%22%20slang%3D%22en-US%22%3E%3CP%3EManage%20user%20authentication%20methods%20using%20APIs%20in%20Microsoft%20Graph!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1257359%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1424350%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1424350%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20can%20we%20expect%20support%20for%20application%20permissions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1424618%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1424618%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B-%20no%20ETA%20I%20can%20share%20but%20it's%20in%20development.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1424840%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1424840%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3BI%20was%20going%20to%20ask%20the%20exact%20same%20question%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3EAny%20tips%20to%20automate%20this%20in%20the%20meantime%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1425990%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1425990%22%20slang%3D%22en-US%22%3E%3CP%3EWould%20this%20feature%20eventually%20be%20added%20to%20the%20AzureAD%20module%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20could%20probably%20write%20something%20up%20to%20do%20it%20out%20of%20PoSH%20but%20a%20cmdlet%20would%20be%20easier%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426248%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426248%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BEven%20though%20documentation%20says%20not%20supported%20for%20application%20permission%2C%20I%20do%20see%20it%20as%20an%20available%20permission%2C%20haven't%20tested%20yet%20but%20its%20there%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorJan%20Vidar%20Elven_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22UserAuthMethodAppPermission.png%22%20style%3D%22width%3A%20790px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195316i411913AAEDC42DF3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22UserAuthMethodAppPermission.png%22%20alt%3D%22UserAuthMethodAppPermission.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426255%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426255%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9324%22%20target%3D%22_blank%22%3E%40Jan%20Vidar%20Elven%3C%2FA%3E%26nbsp%3BI've%20tested%20this.%20You'll%20get%3A%3CEM%3E%3CSTRONG%3E%20%22user%20not%20authenticated%3C%2FSTRONG%3E%3C%2FEM%3E%22%26nbsp%3B%20when%20you%20run%20the%20API's.%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsad_40x40_1.gif%22%20alt%3D%22%3Asad%3A%22%20title%3D%22%3Asad%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426314%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426314%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20I've%20tested%20now%20myself%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F470541%22%20target%3D%22_blank%22%3E%40JanBakker330%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3Banother%20issue%20I%20see%2C%20I've%20used%20delegated%20permission%20with%20my%20B2B%20Guest%20account%20to%20a%20tenant%20where%20I%20am%20Global%20Administrator.%20In%20this%20case%20I%20also%20get%20%22user%20not%20authenticated%22.%20Is%20this%20by%20design%20or%20should%20this%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1440873%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440873%22%20slang%3D%22en-US%22%3E%3CP%3Ewhen%20i%20try%20to%20run%20this%20as%20Global%20Admin%20i%20get%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%22error%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22code%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22directory_read_unauthorized%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22message%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22User%20does%20not%20have%20permissions%20to%20manage%20this%20data.%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22innerError%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22request-id%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22a0ccc2ef-64dc-49b8-9a03-6d0e9a71d2cf%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22date%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%222020-06-04T16%3A24%3A53%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1440922%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440922%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F689170%22%20target%3D%22_blank%22%3E%40Mark_Steele%3C%2FA%3E%26nbsp%3Byou%20should%20first%20assign%20the%20right%20permissions%20to%20the%20user.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fgraph%2Fpermissions-reference%23user-authentication-method-permissions-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUserAuthenticationMethod.ReadWrite.All%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1440940%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440940%22%20slang%3D%22en-US%22%3E%3CP%3EIm%20trying%20to%20figure%20that%20part%20out%20now.%26nbsp%3B%20Under%20permissions%20i%20don't%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fgraph%2Fpermissions-reference%23user-authentication-method-permissions-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUserAuthenticationMethod.ReadWrite.All%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%26nbsp%3Bavailable%20for%20consent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1443556%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1443556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F689170%22%20target%3D%22_blank%22%3E%40Mark_Steele%3C%2FA%3E%26nbsp%3B-%20are%20you%20using%20Graph%20Explorer%3F%20We've%20become%20aware%20that%20the%20permissions%20aren't%20showing%20up%20there%20and%20we're%20working%20on%20that%20right%20now.%20I'll%20update%20this%20space%20when%20that's%20fixed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9324%22%20target%3D%22_blank%22%3E%40Jan%20Vidar%20Elven%3C%2FA%3E%26nbsp%3B-%20I'm%20reaching%20out%20privately%20re%3A%20your%20error.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F470541%22%20target%3D%22_blank%22%3E%40JanBakker330%3C%2FA%3E%26nbsp%3B-%20best%20plan%20for%20automation%20is%20wait%20for%20app-only!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1446974%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1446974%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3BI%20can%20confirm%20that%20I%20also%20can't%20see%20any%26nbsp%3B%3CEM%3EUserAuthenticationMethod.ReadWrite.All-%3C%2FEM%3Epermissions.%20I'll%20be%20sure%20to%20try%20this%20again%20later%20when%20it's%20working%20again.%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448995%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448995%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3Byes%20I'm%20using%20Graph%20Explorer.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20Any%20chance%20we%20will%20be%20able%20to%20update%20their%20contact%20email%20in%20the%20future%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1450008%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1450008%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20this%20a%20sign%20that%20we%20soon%20will%20be%20able%20to%2C%20via%20the%20GUI%2C%20stage%20all%20our%20users%20mobile%20numbers%20in%20to%20MFA%20and%20then%20maybe%20mandate%20sms%20as%20default%2Fstarting%20MFA%20method%20(which%20would%20be%20used%20for%20further%20MFA%20access%20and%20registration%20of%20the%20other%20MFA%20methods)%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1475289%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1475289%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3BIn%20the%20post%20method%2C%20it%20keeps%20run%20query%20and%20it%20failed%20after%20some%20time%20.%20Get%20is%20working%20not%20post%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1475119%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20your%20authentication%20phone%20numbers%20and%20more%20in%20new%20Microsoft%20Graph%20beta%20APIs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1475119%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20not%20working%20for%20the%20POST%20method%2C%20im%20able%20to%20get%20input%20for%20GET%20method%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPost%20method%20is%20just%20loop%20and%20no%20data%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks!

 

We’ve had a ton of requests for APIs to manage users’ authentication methods. That’s why it is so cool that today I get to announce that the first set of these APIs has reached beta in Microsoft Graph! Michael McLaughlin, one of our Identity team program managers, has written a guest blog post with information about the new APIs and how to get started.

 

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure Active Directory (Azure AD) feedback forum.

 

Best Regards,

Alex Simons

Corporate Vice President Program Management

Microsoft Identity Division

---------------------------------------

Hi everyone,

 

I’m thrilled to tell you about the new Azure AD authentication method APIs. These APIs are a key tool to manage your users’ authentication methods. Now you can programmatically pre-register and manage the authenticators used for MFA and self-service password reset (SSPR). This has been one of the most-requested features in the Azure MFA, SSPR, and Microsoft Graph spaces.

 

The new APIs we’ve released in this wave give you the ability to:

 

  • Read, add, update, and remove a user’s authentication phones.
  • Reset a user’s password.
  • Turn on and off SMS sign-in.

We will be adding support for all authentication methods in the coming months.

 

These come at a crucial time. The shift to remote work driven by the COVID-19 pandemic has created unique complications for getting users registered for MFA and SSPR. Admins tell us that they don’t want users registering from potentially unsafe locations, but they do need to get users registered as soon as possible to get them protected. These APIs give you the ability to register your users and set them up to do MFA via SMS immediately without requiring them to register themselves from beyond your corporate network.

 

These APIs can be called by Global administrators, Privileged authentication administrators, Authentication administrators (recommended), and Global readers (can only use the read APIs). The ability to manage other users’ authentication methods is very powerful, so be sure to require MFA for these roles!

 

Here’s an example of adding a phone number for a user by posting to a user’s phone methods URL:

https://graph.microsoft.com/beta/users/<UPN>/authentication/phoneMethods

 

In the body, you pass in the type of phone (for example, “mobile”) and the number, and in the response you get back the full phone number entity:

 

API.png

 

Check out this tutorial to get you started, and to learn more, check out the Azure AD authentication methods API overview.

 

Thanks for reading. We hope these APIs help you in the work you’re doing today, and we’re hard at work expanding the range of authentication method APIs available to make them even more useful for you.

 

All the best,

Michael McLaughlin

Program Manager

Microsoft Identity Division

 

37 Comments

When can we expect support for application permissions?

@Vasil Michev - no ETA I can share but it's in development.

Contributor

@Vasil Michev @Michael McLaughlin I was going to ask the exact same question :smile:

Any tips to automate this in the meantime? 

Contributor

Would this feature eventually be added to the AzureAD module? 

 

I could probably write something up to do it out of PoSH but a cmdlet would be easier :)

@Vasil Michev Even though documentation says not supported for application permission, I do see it as an available permission, haven't tested yet but its there:

 

UserAuthMethodAppPermission.png

Contributor

@Jan Vidar Elven I've tested this. You'll get: "user not authenticated"  when you run the API's. :sad:

Yes, I've tested now myself @JanBakker330.

 

@Michael McLaughlin another issue I see, I've used delegated permission with my B2B Guest account to a tenant where I am Global Administrator. In this case I also get "user not authenticated". Is this by design or should this work?

Frequent Visitor

when i try to run this as Global Admin i get this:

 

"error": {
"code": "directory_read_unauthorized",
"message": "User does not have permissions to manage this data.",
"innerError": {
"request-id": "a0ccc2ef-64dc-49b8-9a03-6d0e9a71d2cf",
"date": "2020-06-04T16:24:53"
}
Contributor

@Mark_Steele you should first assign the right permissions to the user. 

UserAuthenticationMethod.ReadWrite.All 

Frequent Visitor

Im trying to figure that part out now.  Under permissions i don't see UserAuthenticationMethod.ReadWrite.All  available for consent.

 

@Mark_Steele - are you using Graph Explorer? We've become aware that the permissions aren't showing up there and we're working on that right now. I'll update this space when that's fixed.

 

@Jan Vidar Elven - I'm reaching out privately re: your error.

 

@JanBakker330 - best plan for automation is wait for app-only! 

Senior Member

Thanks @Michael McLaughlin I can confirm that I also can't see any UserAuthenticationMethod.ReadWrite.All-permissions. I'll be sure to try this again later when it's working again. :smile:

Frequent Visitor

@Michael McLaughlin yes I'm using Graph Explorer. 

 

Also, Any chance we will be able to update their contact email in the future?

 

Thanks.

New Contributor

Is this a sign that we soon will be able to, via the GUI, stage all our users mobile numbers in to MFA and then maybe mandate sms as default/starting MFA method (which would be used for further MFA access and registration of the other MFA methods)?

Thanks

Frequent Contributor

It is not working for the POST method, im able to get input for GET method

 

Post method is just loop and no data

Frequent Contributor

@Michael McLaughlin In the post method, it keeps run query and it failed after some time . Get is working not post

@Simon Håkansson @Mark_Steele - Graph Explorer should have all of the required permissions available now!

 

@Mark_Steele - we're working on making all authentication methods available via this API set. That includes the authentication email, which is used solely for self-service password reset.

 

@Aengus Moran - you'll definitely be able to do those things via the API! We're still working out specific plans for what will and won't be built into the UX.

 

@Sankarasubramanian Parameswaran - that's a really odd issue, we haven't heard any similar reports. Could you reach out to me directly in a private message with more details?

Frequent Contributor

@Michael McLaughlin  Thank you. It worked after some time. Do you have option for the bulk register. we have more than 5000 users not registered for MFA

@Sankarasubramanian Parameswaran great to hear, thanks for the update. With this API, if you have the usernames and phone numbers, you can script that registration. It's also available in the Microsoft Graph Powershell module if you're more comfortable working in Powershell. 

Frequent Visitor

@Michael McLaughlin  I can confirm this works now as well.  Awesome

 

Now as @Sankarasubramanian Parameswaran asked what would be the best way to bulk update about 7,000 users.

 

Thanks,

Markus

 

Frequent Contributor

@Michael McLaughlin I will check the option in Graph api. As we said, we have more than 5000 users and we need to automate this

Frequent Visitor

Does this work for application permission? we have an automated process between HR and AzureAD which updates users mobile number, we would like to automate this part using application permissions,  is it solved?

Frequent Visitor

I'm able to connect to graph now an update authentication methods for phone number via Graph PowerShell.  I just can't find any information on what -"PhoneAuthenticationMethodId <String>" .  When i look up  detail for the command im provided a link that is dead: https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.authenticationmethods/up....

When i run the command i do see a phone ID and it appears to be same for all:

 

Get-MgUserAuthenticationPhoneMethod -UserId 259089c6-10b8-4164-b537-XXXXXXXX

Id PhoneNumber PhoneType SmsSignInState
-- ----------- --------- --------------
3179e48a-750b-4051-897c-87b9720928f7 +1 5xx9xxxx55 mobile notAllowedByPolicy

Frequent Visitor

When i try to get using  application permissions i get following error:

 

httpGet:

https://graph.microsoft.com/beta/users/objectId/authentication/phoneMethods

 

{
  "error": {
    "code""unauthenticated",
    "message""The user is unauthenticated.",
    "innerError": {
      "message""The user is unauthenticated.",
      "date""2020-06-22T15:38:47",
      "request-id""8e93deea-7e34-4f56-8c3c-3be41e086751"
    }
  }
}
Frequent Visitor

Mark_Steele_0-1592841818376.png

@Maqsood Ali Bhatti   Make sure to consent permissions.

@Maqsood Ali Bhatti and @belaie - app-only permissions aren't ready yet, but we're working on them.

 

@Mark_Steele - each auth method has an ID that's unique in the context of the user. Some are reused for each user/method, and some are globally unique.

Frequent Visitor

@Michael McLaughlin  Thanks for updates; we will do with app permissons so what is ETA?

@Maqsood Ali Bhatti No ETA I can share today, but I'll update here when it's ready!

Frequent Visitor

@Michael McLaughlin  Fantastic ! Looking forward

Frequent Visitor

@Michael McLaughlin is there a list of global authentication methods?

 

Also, are there examples of using Graph Powershell with Update-MgUserAuthenticationPhoneMethod?

Hi All, 

 

Is it normal for the phone number be obfuscated? I mean I added a phone number to an user and now when I request the List endpoint I get the phone number like this "phoneNumber":"+XX XXXXXXXX01","phoneType":"mobile","smsSignInState":"notSupported".

I can only see the last two digits of the number, and I also get notSupported for smsSignInState. So, I'm unsure if the number was added correctly or I did something wrong.

Yes, the number is obfuscated for authentication admins. It should be visible for global admins, privileged authentication admins, and global readers.

@Michael McLaughlin Thank you for the update. I do have only authentication admin role, this explains the obfuscation.

Another question I have is in regards the SSPR. For the user I've mentioned before, I can see in Azure that the column SSPR Registered displays "Not Registered", however, the column SSPR Enabled display "Enabled".

Is there a way to pre-register the user for SSPR using the API?

It is worth mentioning that the columns MFA Registered displays "Registered" and the Methods Registered displays "Mobile phone".


 

@JeffersonGomes When you use the API to register a number for the user, it should be available for use in SSPR if the SSPR policy has "Mobile phone" and/or "Office phone" checked on as appropriate. For your user, I suspect one of two things. Either 1) your SSPR policy is set to two methods required to reset, or 2) your user is an admin, in which case the built-in admin policy applies. In either case, the user needs two methods to reset a password, and registering just one thing won't get them to a "registered" state. If neither apply here, let me know.

Frequent Visitor

@Michael McLaughlin  I'm trying to figure out how to right this Graph PowerShell Command to update Contact Method command but have been unable to fine any examples on how to do it.  I believe I want to use this command to add or replace users phone number.

 

Update-MgUserAuthenticationPhoneMethod -UserId 259089c6-10b8-4164-b537-0058b24459b7 -Id 3179e48a-750b-4051-897c-87b9720928f7 -phonenumber "+1 5409446666"

 

Supply values for the following parameters:
PhoneAuthenticationMethodId:  

 

I'm not sure what the difference is from "-ID" vs "-PhoneAuthenticationMethodId"

 

 

New Contributor

@Michael McLaughlin Looking forward to read /write Authentication phone on all users through Powershell Graph API in the near future :)  When the Graph permissions have been fixed. 
( i tried to assign & admin concent to all userauthmethods in both Delegation & Application scope. but nothing wordked :(

Frequent Visitor

I have had no luck trying to get this to work, not sure if anyone else has?

 

Update-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId "3179e48a-750b-4051-897c-87b9720928f7" -UserId "259089c6-10b8-4164-b537-0058b24459b7" -PhoneNumber "+1 5404444444" -PhoneType "mobile"

Update-MgUserAuthenticationPhoneMethod : {"Message":"No HTTP resource was found that matches the request URI 'https://mface.windowsazure.com/odata/users('259089c6-10b8-4164-b537-0058b24459b7%407fef86bb-a3b9-46e... type was found that matches the controller named 'users'."}
At line:1 char:1
+ Update-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ UserId = 2590...icationMethod }:<>f__AnonymousType12`3) [Update-MgU
serAu..._UpdateExpanded], Exception
+ FullyQualifiedErrorId : UnknownError,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgUserAuthenticationPhoneMethod_Up

dateExpanded