Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Force a user to re-register with Azure AD Self Service Password Reset

Copper Contributor

Is there a way to force a user to re-register with the Azure AD Self Service Password Reset as if he/she has never registered before?

Is there a way to remove the registration of a specific user or re-initialise a specific user?

 

 

13 Replies

If they have not registered, re-registration does not seem applicable to me so I'm a little bit confused by your question, but you may find this helpful https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-data

 

You can clear the SSPR data via PowerShell, the relevant attributes are listed here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-data

 

 

Hi Han,

 

Did you tried following by clearing the user data what Vasil suggested?

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-data

 

May be a new user you could try and test. 

 

Clearing the attributes like Vasil suggested does not force a user to re-register.

Hi !

 

Review your eligible accounts.
Get-MsolUser -UserPrincipalName admin@soft.onmicrosoft.com | select PasswordNeverExpires

 

More about passwords and password expiration policies
https://support.office.com/en-us/article/Change-how-often-passwords-expire-in-Office-365-for-Small-B...

 

My question has nothing to do with password expiring.

Hi Han,

 

Within the MFA configuration, there is an option to require selected users to provide contact methods again. As far as i can see, the user doesn't have be MFA enabled.

 

Within https://aad.portal.azure.com go to Users. On the top of the page, you can go to Multi-Factor Authentication. A new page/tab will be opened. On that page you can select the user => Manage User Settings => place a check mark at Require selected users to provide contact methods again and click save.

 

Hope this helps.

 

Best regards,

Ruud Gijsbers

Yes, I understand.
Do you agree with Ruud Gijsbers?

@Han Valk

 

I was trying to do the same task, force a user to re-register for SSPR in a lab tenant.  I was able to do so by removing values from the AAD user.

 

Get-MsolUser -UserPrincipalName user@domain.com | select AlternateEmailAddresses

Get-MsolUser -UserPrincipalName user@domain.com | select MobilePhone

Get-MsolUser -UserPrincipalName user@domain.com | select PhoneNumber

 

After I removed data from all 3 properties, the user could no longer do SSPR.  When the user goes to https://aka.ms/ssprsetup, they are prompted to register (after a successful sign-in).

I Found A solution to this :)

 

# /MWU
# First connect to your tenant (as you use to do it)
# Output from my connect tenant function
# cat function:Connect-O365-PROD

# Actual Connect-O365-PROD function
Get-PSSession | Remove-PSSession
$PROD365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $PRODAdminCred -Authentication Basic -AllowRedirection
#Use this if you import scriptfunctions from remote server, i only load remote script in my $profile
Import-Module (Import-PSSession $PROD365Session -AllowClobber) -global
Connect-MsolService -Credential $PRODAdminCred
##################Forget above if you are Pro :)#######################################


#Selected user in cloud
$Userpricipalname = "abc@org.com"

#Get settings for a user with exsisting auth data
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
# Viewing default method
$User.StrongAuthenticationMethods

 


# Creating custom object for default method (here you just put in $true insted of $false, on the prefeered method you like)
$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m1.IsDefault = $false
$m1.MethodType="OneWaySMS"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m2.IsDefault = $false
$m2.MethodType="TwoWayVoiceMobile"


$m3=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m3.IsDefault = $false
$m3.MethodType="PhoneAppOTP"


$m4=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$m4.IsDefault = $True
$m4.MethodType="PhoneAppNotification"

# To set the users default method for doing second factor
#$m=@($m1,$m2,$m3,$m4)

# To force user ONLY to re-register without clearing their phonenumber or App shared secret.
$m=@()

# Set command to define new settings
set-msoluser -Userprincipalname $user.UserPrincipalName -StrongAuthenticationMethods $m

 

#Settings should be empty, and user is required to register new phone number or whatever they like, i case they lost their phone.
$User = Get-MSolUser -UserPrincipalName $Userpricipalname
$User.StrongAuthenticationMethods

Things have changed a lot since this question was asked but I'm also attempting to solve it.
Microsoft has combined enrollment for SSPR with MFA. Now a user will enroll for both at the same time.
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/combined-registration-for-azu...

This has caused confusion in where the methods are configured for the users,

I've found ways to force a user to re-register their MFA methods.
In my case, users have successfully enrolled for MFA and have the state of Enforced.

They are not setup for SSPR yet however. I want to trigger only that enrollment process but it doesn't seem possible now that the MFA and SSPR enrollments are combined.
Hi all, same problem here...
Same problem! Any update?