How to Reset the MFA Contact Details of a AzureAD User

Users can login to MyApps.microsoft.com and reset their phone number etc.. However what if an admin wanted to initiate this reset option

1

In this post, we will see different types of users in Azure Active Directory (Azure AD or AAD). Along with this we will see, how can we delete the existing contact details of a user in Azure AD and request user to fill the new contact details. We can easily reset the contact details used for MFA (Multi Factor Authentication) from Azure AD portal. This is very useful when user got an internal transfer within the organization to another country and he wanted to change the number. Also, there are options to “Delete all existing app password generated by the selected users” and “Restore multi-factor authentication on all remembered devices”. More details in the video here.

As you can see in the above picture, there are two types of symbols near user accounts. The one with external email ID like Gmail and those kind of users are guest users in Azure AD. You can provide access to your organization apps to external contractors for temporary basis using Guest user option. Another type of users with your organization’s email IDs are internal users.

To get access to resources of organization, Guest users should go through a secure on boarding process with MFA (Multi Factor Authentication). Guest users will receive an invitation mail on the external email ID and the email subject would be “You’re invited to the {Anoop’s} organization”. User has to click on “Get Started” link from the mail and he or she will be guided through on boarding process with MFA. As you can see in the welcome screen (below picture), you will get access to MyApps.microsoft.com portal where guest user can access internal applications allocated to that user.

So coming back to the main topic “How to Reset the MFA Contact Details of a Azure AD User”. This option is there in Azure portal “Microsoft Azure Active Directory –> Users and groupsAll users“, click on “Multi Factor Authentication“.  In the new tab, you will get option to reset the contact details of the AAD User. This blade will give an option to reset all apps passwords generated by the selected users and you can ask users to perform MFA on all the existing devices. Select the user ID and click on “Manage user setting” to reset the MFA contacts of AAD User.

When you click on any of the user account from the above place (as you can in the above pic), it will take you to Office 365 licensing portal. So no need to login to Office portal separately to assign licenses to users. This is very useful stuff.

Once you click on “Manage User Settings“, you will be able see following options :- 1. Require selected users to provide contact methods again. 2. Delete all existing app passwords generated by the selected users. 3. Restore Multi factor authentication on all remembered devices. To reset the MFA contact details of an Azure AD user, you need to select the option one “Require selected users to provide contact methods again” and click save. Next time user logs into a device, AAD will prompt user to provide contact details again.

Reference links :-

  • Manage your settings for two-step verification – here
  • Azure Multi-Factor Authentication FAQ – here

1 COMMENT

  1. Is there a way to delegate the ability to reset someone’s MFA settings (require user to provide contact methods again setting)? We do not have to assign the global admin role to help desk folks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here