Microsoft Graph: Add support for "Require re-register MFA"

Microsoft Graph: Add support for "Require re-register MFA"
83

Upvotes

Upvote

 Jan 14 2022
33 Comments (33 New)
New

Currently, "Require re-register MFA" can only be set in the Azure Portal, or via PowerShell using:

 

Set-MsolUser -UserPrincipalName username -StrongAuthenticationMethods @()

 

Please add support for this in the Microsoft Graph API.

Comments
Copper Contributor

Need graph API to achieve non interactive logins to prevent possible brute force attack and basic authentication

 

Copper Contributor

Need this feature in Graph API as well in order to make administration module services without user interaction in the Azure Portal or Powershell.

Copper Contributor

This is an absolute must!  Since this is currently only possible in the v1 MSOnline module and since that module does not support authentication using an app registration, once basic auth goes away, this will no longer be possible to automate.

Copper Contributor

Our organization, like many, has experienced considerable flux in our IT infrastructure these last couple of years.  While it is possible that some change in vendors or licensing of products may remediate some of the utility that a change like this requested feature would provide; it is still absolutely a missing feature hindering efforts to stabilize our user management processes in the shifting landscape we find ourselves in.  I have no practice with or even well defined lines of communication into developer communities, but I wanted to at least add my thought here, somewhere, anywhere, with my little squeak of consternation into the void.

 

Thank you for your consideration,

Robert

Brass Contributor

Come on Microsoft, you want to get rid of basic auth, so the way with MSOnline is not an option anymore. Get a Graph API going for this. 

We want to be able to do this with PowerShell, GUI isn't an option.

Copper Contributor

This should be highest priority for Microsoft regardless of how many votes it gets here as MSOnline will stop working in October when basic authentication stops working leaving us with no alternative. between now and October Microsoft should have an alternative (such as Graph or V2 AzureAD module). We already updated all our scripts to Graph and V2 AzureAD commands using app registration. We're about 3 months away from the deadline and I'm not going to go back and use basic authentication in order to automate require re-registration for MFA. I'd rather not automate it temporarily and wait for Microsoft to provide a better alternative. Why isn't this a priority for Microsoft when they know the deadline is October is a mystery to me.

Copper Contributor
Copper Contributor

Adding my support for this!

Copper Contributor

Adding in my support for this!

Copper Contributor

Adding in my support for this!

Copper Contributor

Also looking for this

Brass Contributor

I think it's about time this one get's done, right?

Basic auth is deprecated. We should have an alternative.

Copper Contributor

Any news from someone on this? Definitly looking into a solution for this.

Copper Contributor

Any news on this"?

Copper Contributor

I could really do with this. preventing some automation cases I am working on. is there an ETA for this being added?

Steel Contributor

You can remove authentication methods including MFA methods using Graph:

 

Azure AD authentication methods API overview - Microsoft Graph v1.0 | Microsoft Learn

Brass Contributor

@bart vermeersch That are still REST API calls, we want MgGraph cmdlets to set/edit this information.

Copper Contributor

Hi @Ron Ron ,

Read auth methods:

Get-MgUserAuthenticationMethod

 

Remove auth methods (have to use correct cmdlet for each auth type) e.g.:

Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod

 

If you remove all MFA capable auth factors then the user is prompted for new MFA at next login.

The default method can only be removed if it is the last MFA auth method.  Get-MgUserAuthenticationMethod doesn't identify the default method* so either check for that error being returned or run the delete operation twice.

 

*Get-MgReportAuthenticationMethodUserRegistrationDetail can tell you the default method but it isn't updated immediately when an auth factor is added or removed.

 

Brass Contributor

You would think that they would come up with an easy way to do this...

I mean, in the Azure Portal you have simple button for "Require re-register multifactor authentication".

Why not make this exact same behavior available with Grahp cmdlet?

Brass Contributor

@MarkF70 Thank you, but that is only to read or clear all information. We want to set an private authentication email for provisioning, when entering our school as a student or employee so the user is able to reset their own password. 
It is working at the moment with API calls but we want it to be completely native graph commands.

Brass Contributor

Over a year on, and still waiting for this relatively basic feature.

 

Currently we're using MSOL, which is being depreciated as of June this year. C'mon Microsoft!

Copper Contributor

RESPECTED MICROSOFT CUMMUNTIY TEAM I DO MY BEST EFFORT TO RESLOVE MY CAMPANY ISSUE BUT  RIGHT NOW I AM  UPSET BCOZ  I DONT UNDERSTAND CODEING AND HOW DEVELPORE WORK I NEED SUPPORT IFANYONE HELP ME  

THANKS

SYED BILAL SHAH

THE ROYAL EXPRESS TRAVELS

+923228471198

Brass Contributor

Still waiting for the feature for editing/setting as in the GUI

Copper Contributor

We definitively need this feature in MS Graph API.

Copper Contributor

I'd also like to add my support for this function in Microsoft Graph!

Copper Contributor

Adding in my support for this!

Copper Contributor

up-vote 

 

I too would like a rest endpoint to /requireReregister

POST https://graph.microsoft.com/beta/users/{id | userPrincipalName }/authentication/methods/requireReregister

 

While we can add powershell support to our existing automations, I would prefer not to deploy a deprecating solution.

 

Copper Contributor

Currently using the deprecated MSOL method via a runbook to achieve this and, because there are so many new methods since the days of MSOL, I also use Graph to identify and clear those at the user's request.

Would love to get it all under one module rather than have to rely on deprecated modules to manage half a million accounts with MFA along with all their little issues with replacing devices, etc.

Copper Contributor

Guys, here's my script how I handle it with MGGraph Powershell Module.

the three methods that need to be cleared are "Microsoft Authenticator", "Phone" and "SoftwareOATH".

As mentioned by @MarkF70 you can only clear default method if its the last one. So, the script checks for the error and removes it at the end.

 

$UserID = "UPN"

    # Get Authentication Methods
    $MicrosoftAuthenticatorMethods = Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserID $UserID
    $PhoneMethods = Get-MgUserAuthenticationPhoneMethod -UserID $UserID
    $SoftwareOathMethods = Get-MgUserAuthenticationSoftwareOathMethod -UserID $UserID

        # Remove Software OAth Method
        foreach ($SoftwareOathMethod in $SoftwareOathMethods){
        $SoftwareOathMethodID = $SoftwareOathMethod.id
            try {
                Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $SoftwareOathMethodID -UserId $UserID -ErrorAction Stop
                Write-Host "Successfully removed Software OAth Method" $SoftwareOathMethodID
            }
            catch {
                $DefaultID = $SoftwareOathMethodID
                $Method = "SoftwareOAth"
            }
        }

        # Remove Phone Method
        foreach ($PhoneMethod in $PhoneMethods){
        $PhoneMethodID = $PhoneMethod.id
            try {   
                Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $PhoneMethodID -UserID $UserID -ErrorAction Stop
                Write-Host "Successfully removed Phone Method" $PhoneMethodID
            }
            catch {
                $DefaultID = $PhoneMethodID
                $Method = "Phone"
            }          
        }

        #Remove Microsoft Authenticator Method
        foreach ($MicrosoftAuthenticatorMethod in $MicrosoftAuthenticatorMethods){
        $MicrosoftAuthenticatorMethodID = $MicrosoftAuthenticatorMethod.id
            try {
                Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $MicrosoftAuthenticatorMethodID -UserId $UserID -ErrorAction Stop
                Write-Host "Successfully removed Microsoft Authenticator Method" $MicrosoftAuthenticatorMethodID
            }
            catch {
                $DefaultID = $MicrosoftAuthenticatorMethodID
                $Method = "MicrosoftAuthenticator"
            }
        }


        #Remove DefaultID

        if ($Method -like "MicrosoftAuthenticator"){
            Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $DefaultID -UserId $UserID
            Write-Host "Successfully removed Microsoft Authenticator Method" $DefaultID
        }

        elseif ($Method -like "Phone"){
            Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $DefaultID -UserID $UserID
            Write-Host "Successfully removed Phone Method" $DefaultID
        }

        elseif ($Method -like "SoftwareOAth"){
            Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $DefaultID -UserId $UserID
            Write-Host "Successfully removed Software OAth Method" $DefaultID
        }

 

 

Still an upvote from my side as a single command would be much better :)
At least, we have a workaround now.

Copper Contributor

Everyone reading, open devtools and click require re-register, there's a Graph call there since about a week or two!