Manage authentication methods for Microsoft Entra multifactor authentication - Microsoft Entra ID (2024)

You can add authentication methods for a user by using the Microsoft Entra admin center or Microsoft Graph.

To add authentication methods for a user in the Microsoft Entra admin center:

1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.
2. Browse to Identity > Users > All users.
3. Choose the user for whom you wish to add an authentication method and select Authentication methods.
4. At the top of the window, select + Add authentication method.
   • Select a method (phone number or email). Email may be used for self-password reset but not authentication. When adding a phone number, select a phone type and enter phone number with valid format (e.g. +1 4255551234).
   • Select Add.

Manage methods using PowerShell

Install the Microsoft.Graph.Identity.Signins PowerShell module using the following commands.

Install-module Microsoft.Graph.Identity.SigninsConnect-MgGraph -Scopes "User.Read.all","UserAuthenticationMethod.Read.All","UserAuthenticationMethod.ReadWrite.All"Select-MgProfile -Name beta

List phone based authentication methods for a specific user.

Get-MgUserAuthenticationPhoneMethod -UserId balas@contoso.com

Create a mobile phone authentication method for a specific user.

New-MgUserAuthenticationPhoneMethod -UserId balas@contoso.com -phoneType "mobile" -phoneNumber "+1 7748933135"

Remove a specific phone method for a user

Remove-MgUserAuthenticationPhoneMethod -UserId balas@contoso.com -PhoneAuthenticationMethodId 3179e48a-750b-4051-897c-87b9720928f7

Authentication methods can also be managed using Microsoft Graph APIs. For more information, see Authentication and authorization basics.

If you're assigned the Authentication Administrator role, you can require users to reset their password, re-register for MFA, or revoke existing MFA sessions from their user object. To manage user settings, complete the following steps:

1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.

2. Browse to Identity > Users > All users.

3. Choose the user you wish to perform an action on and select Authentication methods. At the top of the window, then choose one of the following options for the user:

   • Reset password resets the user's password and assigns a temporary password that must be changed on the next sign-in.
   • Require re-register MFA deactivates the user's hardware OATH tokens and deletes the following authentication methods from this user: phone numbers, Microsoft Authenticator apps and software OATH tokens. If needed, the user is requested to set up a new MFA authentication method the next time they sign in.
   • Revoke MFA sessions clears the user's remembered MFA sessions and requires them to perform MFA the next time it's required by the policy on the device.

   

For users that have defined app passwords, administrators can also choose to delete these passwords, causing legacy authentication to fail in those applications. These actions may be necessary if you need to provide assistance to a user, or need to reset their authentication methods. Non-browser apps that were associated with these app passwords will stop working until a new app password is created.

To delete a user's app passwords, complete the following steps:

1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.

2. Browse to Identity > Users > All users.

3. Select Multifactor authentication. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full window and menu location:

4. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right.

5. Select Manage user settings, then check the box for Delete all existing app passwords generated by the selected users, as shown in the following example:

6. Select save, then close.