How to Reset MFA Contact Details of Azure AD User

Reset MFA Contact Details of Azure AD User? In this post, we will see different types of users in Azure Active Directory (Azure AD or AAD). Along with this, we will see, how can we delete the existing contact details of a user in Azure AD and request the user to fill in the new contact details.

More details to change the Azure MFA Authentication phone from MyApps portal –  https://www.anoopcnair.com/change-azure-mfa-authentication-phone-myapps/(opens in a new tab)

End User and trying to change MFA Mobile Number –  https://aka.ms/MFASetup 

We can easily reset the contact details used for MFA (Multi Factor Authentication) from Azure AD portal. This is very useful when user got an internal transfer within the organization to another country and he wanted to change the number.

Also, there are options to “Delete all existing app passwords generated by the selected users” and “Restore multi-factor authentication on all remembered devices”.

MFA Mobile Contact Number reset from Azure Portal with Admin Access?

More details in the video here.

Watch this video on YouTube.
How to Reset MFA Contact Details of Azure AD User
How to Reset MFA Contact Details of Azure AD User
How to Reset MFA Contact Details of Azure AD User

As you can see in the above picture, there are two types of symbols near user accounts. The one with external email ID like Gmail and those kind of users are guest users in Azure AD.

You can provide access to your organization apps to external contractors on a temporary basis using the Guest user option. Another type of user with your organization’s email IDs is internal users.

How to Reset MFA Contact Details of Azure AD User
How to Reset MFA Contact Details of Azure AD User

To get access to resources of organization, Guest users should go through a secure on boarding process with MFA (Multi Factor Authentication). Guest users will receive an invitation mail on the external email ID and the email subject would be “You’re invited to the {Anoop’s} organization”.

User has to click on the “Get Started” link from the mail and he or she will be guided through the onboarding process with MFA. As you can see in the welcome screen (below picture), you will get access to the MyApps.microsoft.com portal where guest users can access internal applications allocated to that user.

MFA Mobile Contact Number reset How to Reset MFA Contact Details of Azure AD User
How to Reset MFA Contact Details of Azure AD User

So coming back to the main topic “How to Reset the MFA Contact Details of an Azure AD User”. This option is there in the Azure portal “Microsoft Azure Active Directory --> Users and groupsAll users“, click on “Multi-Factor Authentication“.  In the new tab, you will get the option to reset the contact details of the AAD User.

This blade will give an option to reset all apps passwords generated by the selected users and you can ask users to perform MFA on all the existing devices. Select the user ID and click on “Manage user setting” to reset the MFA contacts of the AAD User.

How to Reset MFA Contact Details of Azure AD User
How to Reset MFA Contact Details of Azure AD User

When you click on any of the user account from the above place (as you can in the above pic), it will take you to Office 365 licensing portal. So no need to login to Office portal separately to assign licenses to users. This is very useful stuff.

MFA Mobile Contact Number reset How to Reset MFA Contact Details of Azure AD User
How to Reset MFA Contact Details of Azure AD User

Once you click on “Manage User Settings“, you will be able see following options :-

1. Require selected users to provide contact methods again.

2. Delete all existing app passwords generated by the selected users.

3. Restore Multi factor authentication on all remembered devices. To reset the MFA contact details of an Azure AD user, you need to select the option one “Require selected users to provide contact methods again” and click save. Next time user logs into a device, AAD will prompt user to provide contact details again.

MFA Mobile Contact Number reset
How to Reset MFA Contact Details of Azure AD User

Reference links :-

  • Manage your settings for two-step verification – here
  • Azure Multi-Factor Authentication FAQ – here

Quick Overview Comparison between Intune Azure and Silverlight Portal

Quick Overview Comparison between Intune Azure and Silverlight Portal? I’m really excited to share the comparison video and post of Intune Silverlight and the new Intune in MEM portal.

Loads of new features and loads of very useful changes.  All the new Azure tenants with a new Microsoft EMS subscription will be able to access a preview version of Intune in the MEM portal.

The performance, look and feel of Intune console is far better than Intune Silverlight console. Intune in MEM portal helps us to eliminate loads of duplication works which we need to perform in terms of creating groups in Azure AD and Intune groups.

In the new portal, we can direct deploy applications, policies, profiles, etc… to Azure Active Directory Dynamic device groups and user groups. Enrolment restriction rules and RBA for Intune admins are other most exciting features for me within the new portal.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Manage Apps node is the place where you can create apps from the Android store, Apple Store, and Windows store. The most exciting feature in Manage apps is that you can directly search the Apple App store (Yes, I think for preview we have only the option to select US store) and fetch the application from there.

Hence you don’t need to specify the properties of that app. Deployments in the new MEM portal are called ASSIGNMENTS. You can directly deploy applications to AAD groups. One thing missing in the review version of Intune is an option to uploads MSI applications.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Configure Device node is the place in new Azure console where you can create configuration policies for iOS, Android for Work, Android and Windows devices. In the Intune Silverlight portal, configuration policies have build-in generic policies for windows, iOS, Android etc…similarly new Intune portal in Azure has build-in profiles.

We have different profile types called Device Restriction policies, WiFi profiles, VPN profiles, SCEP deployment profiles, eMail profiles etc… Device restriction policies are nothing but the build-in configuration policies for specific device platform.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Set device compliance is the node where you can create new improved compliance policies for all the supported devices like iOS, Android, and Windows. The improvement over the Silverlight Intune portal is that we can select the device platform explicitly in the compliance policies.

Also, depending upon the device platform, the separate compliance policies will get applied to different devices (even if a user is targeted to iOS, Android, and Windows compliance policies). Deployment of compliance policies is done via assignments in Intune portal.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Conditional Access node in new Intune portal got very less options if you compare it with Intune Silverlight conditional access options. All the device based conditional access rules are moved out of Intune. Now those device based conditional access rules are part of Azure Active Directory. Device based conditional access policy has loads of granular options more conditions, more control options etc…

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Enroll Devices node is where you can define enrolment restriction rules. Enrolment restriction rules are the rules which help to restrict the devices from enrolling into Intune. The enrolment restriction rule comes before conditional access verification. Within enrolment restriction rules, we can have different types of restrictions like Device Type restriction and Device Limit restrictions.

Device type restriction is the place where we can select device platforms and platform configurations. Enroll Devices node is the place where you can also define/configure Windows Hello for business, check the MDM management authority, Terms and conditions, Corporate device identities, and apple MDM push certificates.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Access control is the place where we can define custom security permissions for Administrator users. Role based administrator (RBA) is enabled in new Intune portal where you create your own customized Intune admin roles.

Once you created a security role, you can create a new assignment to it and add Members Group and Scope Groups. Following are the permission options available in Intune review portal – Device Configurations, Managed Apps, Managed Devices, Mobile Apps, Organization, Remote tasks, Roles, Telecom Expenses and Terms and conditions.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

 Reference doc – https://docs.microsoft.com/en-us/intune-azure/introduction/what-is-microsoft-intune

Conditional Access in Azure Portal – https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Learn How to Delete Devices from Azure Active Directory | Azure Portal? As part of effective device management, we need to have deleted and disable options in Azure AD and Intune.

A device can be retired and deleted from Intune console (Silverlight) and I’m sure the new MEM portal will surely have these options.

If you are an SCCM admin, you could recollect there is an option in the SCCM console also to delete and disable a device. However, I have seen that when you retire and delete a device from Intune console,  that device will get removed from Intune console but will still stay in Azure AD.

How to Delete Devices from Azure Active Directory

So it’s very critical and important to delete these devices from Azure AD and keep the environment clean. I have created a video tutorial to help you in this topic “Learn How to have a Clean and Tidy Intune and Azure AD Environment“.

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Back to delete and disable device options in new Azure AD portal. We will cover the disable/enable device option first then we will discuss about delete option. Think about a hypothetical scenario, There is an emergency situation and you wanted to disable the device AAD to prevent further damage to your organization.

To disable a device, you need to go to All users and groups blade in the MEM portal here. Select All Users and select the Devices option from that blade. This will give a list of devices and from that list, you can select one device and click on disable/enable option as per the requirement.

You can review the video attached to this post to get a real-time experience of this. We don’t have to disable the option in Intune console so the only way to disable a device is from the Azure AD portal. Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices?

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Delete Devices from Azure Active Directory

Now, we can see the delete device option in the Azure portal. This is a very critical option and this is very helpful to keep your Azure AD environment clean. This will help device management admins to get better results of configuration/compliance policy and application deployments. To disable a device, you need to go to All users and groups blade in the Azure portal here.

Select All Users and select the Devices option from that blade. This will give a list of devices and from that list, you can select one device and click on delete.

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Reference

New Azure Portal where you can find All Users blade – https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserManagementMenuBlade/All%20users/menuId/

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager? Clean Intune environment always gives us better deployment results and one of the important steps to keep your environment clean is explained in this post.

This is not the only way to keep your Intune environment clean. Rather you should have regular sanity checks for your environment to make sure that you don’t have duplicate copies of policies and applications.

Moreover, you should take care to avoid duplicate deployments of policies and applications. Duplicate deployments of policies can cause conflicts and could result in unexpected results.

Introduction

We SCCM Admins are familiar with the process of deletion and removal of a device in SCCM and Microsoft Intune. However, we are always not sure when you remove a device from SCCM then that device record will automatically get removed from On-prem Active Directory or not.

The removal or deletion of a device or machine from Active Directory is not SCCM’s responsibility and this should be handled separately by on-prem Active Directory.

So how these operations are handled in the modern device management world in terms of Intune SA (or SCCM Hybrid) and Azure Active Directory. In most of the cases, I have not seen that when you retire and delete a device from Intune, that device record will automatically get purged from Azure Active Directory (AAD).

To have better results for your Compliance/configuration policy and application deployments in the modern device management world, we should ensure that we have a clean environment with clean Azure AD. You can get a better understanding of this issue from the above video tutorial. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager

How to Delete Clean Tidy Intune Azure Active Directory?

In the above example, Intune console shows me only one device assigned against my user account. Whereas if you look at my Azure AD user ID and check for the devices assigned against my account then you can see there are a total of 3 devices and all the 3 devices have been shown as managed by Intune.

This is not accurate data that is getting reflected in Azure Active Directory. I’m not saying every time this scenario will happen. I’ve seen some devices automatically get removed from Intune and AAD. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?

I suppose we should have a better accuracy/sync between Intune and Azure AD database.  I don’t see a scheduled task in Azure AD to purge the deleted records from Microsoft Intune. I’m not sure whether this is coming in near future or not.

To ensure better results for Intune device management policies, when you delete a device from Intune you should make sure that the device record is removed from Azure AD as well. I’m planning to post a video tutorial to show How to delete a device from Azure AD to have clean and tidy environment.

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

Validate Azure AD Dynamic Group Rules | Intune

How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr

Using Azure AD connect you can sync on-prem user identities/attributes and passwords to Azure AD. Azure AD connect installation and configuration is very straightforward if we use (express settings 🙂 ).

I have a video tutorial here that helps you to understand the AAD connect configuration, How to enable MFA for Azure AD to join Windows 10 device and Twitter app integration with Azure AD.

In this post, I’m going to cover two other topics related to Azure AD (AAD) Sync.

  1. Where is the Scheduled Task used to get created for Azure AD?
  2. How to Create a service connection point in on-premises Active Directory?
  3. Video Tutorial – How to Sync On Prem AD User accounts With Azure AD

Windows 10 MDM devices can write back to on-prem AD more details are available here. AAD Connect is mandatory for the write-back feature of Windows 10 devices.  

Earlier versions of Azure AD connect used  Windows task scheduler to schedule the Azure AD sync of on-prem objects and attributes. The latest version of Azure AD connect has a sync engine inbuilt. Hence we won’t find a scheduled task for AAD Connect. 

The new default synchronization frequency is 30 minutes. We can change the AD Sync Schedule using the PowerShell command “Get-ADSyncScheduler” and other parameters documented here. Window  

How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr
How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr

  PS C:\Users\anoop\Desktop> Get-ADSyncSchedulerAllowedSyncCycleInterval            : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval         :
NextSyncCyclePolicyType             : Delta
NextSyncCycleStartTimeInUTC         : 26-05-2016 02:06:23
PurgeRunHistoryInterval             : 7.00:00:00
SyncCycleEnabled                    : True
MaintenanceEnabled                  : True
StagingModeEnabled                  : False

I was getting trouble creating a service connection point in on-premises Active Directory. This service connection point is used for “Connect domain-joined devices to Azure AD for Windows 10 experiences”. I followed the documentation here to configure the service connection points in on-prem AD but was getting stuck with PowerShell Commands. I ran the PowerShell commands as per the above documentation however with no luck.

After that, I installed the appropriate version of the Windows Azure Active Directory Module for Windows PowerShell and then. Then tried to run the following PowerShell commands and that worked like a champ!

How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr
How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr
PS C:\Users\anoop\Desktop> Connect-MsolService

PS C:\Users\anoop\Desktop> Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"

PS C:\Users\anoop\Desktop> Initialize-ADSyncDomainJoinedComputerSync

cmdlet Initialize-ADSyncDomainJoinedComputerSync at command pipeline position 1
Supply values for the following parameters:
AdConnectorAccount: nair\Anoop
AzureADCredentials
Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.
Configuration Complete

How to Sync On Prem AD User accounts With Azure AD

httpv://www.youtube.com/watch?v=embed/14kIKSp35Rw

Resources

Learn How to Setup Dynamic Device Groups in Intune

Learn How to Setup Dynamic Device Groups in Intune? Do you want to add mobile devices automatically to Microsoft Intune Device Groups? Intune Dynamic groups are always a customer request since long back.

This feature is similar to dynamic collections in SCCM/ConfigMgr. There is two way to do it. One is using the Azure AD Premium feature called AAD Dynamic Groups and another one is pretty new in Intune something called Device Group Mapping.

How to add devices/users automatically to Intune Groups using Azure AD Dynamic Groups ?

Learn How to Setup Dynamic Device Groups in Intune?

  1. Login to Azure AD portal (AAD Premium subscription should be there).
  2. Navigate via – Directory –> Groups –> Open the group (MDM Group) –> Configure. Enable Dynamic Group (Only available for AAD Premium subscriptions) Membership –> Add Users where <Department> is equal to “IT”.  In this scenario all the users from IT department will get added to AAD Dynamic Security Group called MDM Groups. Don’t be panic if the group is not reflecting with users immediately, give it some time. It will get updated. 
  3. Once  AAD Dynamic Group is created and updated login to Intune portal (manage.microsoft.com)  and Create a New User Group to fetch all the devices of IT department users.
  4. Whenever new user joins to IT department that user will automatically get added to Intune MDM group as well. Provisioning and de provisioning of groups made easy with this.
Learn How to Setup Dynamic Device Groups in Intune
Learn How to Setup Dynamic Device Groups in Intune

How to Add Devices automatically to Intune Device Groups using Device Group Mapping ?

Learn How to Setup Dynamic Device Groups in Intune?

  1. Click on the Admin tab in Intune console. Navigate via Device Group Mapping – enable Device Group Mapping – Create a Device Group and ADD a CATEGORY to manage device group mapping rules. Once you click on Create Device Group then it will guide you to create one device group.
  2. When every user enrolls (During Enrollment Process) to Intune using the Microsoft Intune Company Portal application, the User will get an extra/additional screen to select “Choose the best category for this device“. Right now, I have only created one category “ADMIN” for users to select. You are free to create Intune device category for each department !!    

SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)

SCCM Video Tutorials For IT Pros – HTMD Blog #2 (howtomanagedevices.com)