In this post, we will see different types of users in Azure Active Directory (Azure AD or AAD). Along with this we will see, how can we delete the existing contact details of a user in Azure AD and request user to fill the new contact details.
More details to change the Azure MFA Authentication phone from MyApps portal – https://www.anoopcnair.com/change-azure-mfa-authentication-phone-myapps/(opens in a new tab)
End User and trying to change MFA Mobile Number – https://aka.ms/MFASetup
We can easily reset the contact details used for MFA (Multi Factor Authentication) from Azure AD portal. This is very useful when user got an internal transfer within the organization to another country and he wanted to change the number. Also, there are options to “Delete all existing app password generated by the selected users” and “Restore multi-factor authentication on all remembered devices”.
MFA Mobile Contact Number reset from Azure Portal with Admin Access?
More details in the video here.
As you can see in the above picture, there are two types of symbols near user accounts. The one with external email ID like Gmail and those kind of users are guest users in Azure AD. You can provide access to your organization apps to external contractors for temporary basis using Guest user option. Another type of users with your organization’s email IDs are internal users.
To get access to resources of organization, Guest users should go through a secure on boarding process with MFA (Multi Factor Authentication). Guest users will receive an invitation mail on the external email ID and the email subject would be “You’re invited to the {Anoop’s} organization”. User has to click on “Get Started” link from the mail and he or she will be guided through on boarding process with MFA. As you can see in the welcome screen (below picture), you will get access to MyApps.microsoft.com portal where guest user can access internal applications allocated to that user.
So coming back to the main topic “How to Reset the MFA Contact Details of a Azure AD User”. This option is there in Azure portal “Microsoft Azure Active Directory –> Users and groups – All users“, click on “Multi Factor Authentication“. In the new tab, you will get option to reset the contact details of the AAD User. This blade will give an option to reset all apps passwords generated by the selected users and you can ask users to perform MFA on all the existing devices. Select the user ID and click on “Manage user setting” to reset the MFA contacts of AAD User.
When you click on any of the user account from the above place (as you can in the above pic), it will take you to Office 365 licensing portal. So no need to login to Office portal separately to assign licenses to users. This is very useful stuff.
Once you click on “Manage User Settings“, you will be able see following options :-
1. Require selected users to provide contact methods again.
2. Delete all existing app passwords generated by the selected users.
3. Restore Multi factor authentication on all remembered devices. To reset the MFA contact details of an Azure AD user, you need to select the option one “Require selected users to provide contact methods again” and click save. Next time user logs into a device, AAD will prompt user to provide contact details again.
Reference links :-
- Manage your settings for two-step verification – here
- Azure Multi-Factor Authentication FAQ – here
Hi
Is there a way to do this with PowerShell?
Is there a way to delegate the ability to reset someone’s MFA settings (require user to provide contact methods again setting)? We do not have to assign the global admin role to help desk folks.
any answer if we can do this via powershell?
I never tried PowerShell tried and I’m not aware of any PowerShell options for Azure AD and MFA reset. But there could some programming options available via Microsoft Graph?
You can clear the methods that are currently set, giving your user a chance to change the options the next time the log in using Reset-MsolStrongAuthenticationMethodByUpn
you can take some powershell examples from http://www.powershellbros.com/reset-azure-ad-mfa-settings/
Hi Anoop
I am running below comand to reset MFA of Azure Ad user.
Set-MsolUser -UserPrincipalName $UPNToReset -StrongAuthenticationRequirements
However, MFA got reset but the data in conatct details is not cleared.
Is this because of the permission to my account which i am using to reset? I am not using Global ADmin account.
Please suggest