-
Notifications
You must be signed in to change notification settings - Fork 908
Expand file tree
/
Copy pathhowto-mfa-userdevicesettings.yml
More file actions
132 lines (107 loc) · 8.8 KB
/
howto-mfa-userdevicesettings.yml
File metadata and controls
132 lines (107 loc) · 8.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
### YamlMime:HowTo
---
metadata:
title: Manage authentication methods for Microsoft Entra multifactor authentication
description: Learn how you can configure Microsoft Entra user settings for Microsoft Entra multifactor authentication
ms.reviewer: jupetter
ms.date: 02/27/2025
ms.topic: how-to
ms.custom:
- ge-structured-content-pilot
- sfi-image-nochange
title: |
Manage user authentication methods for Microsoft Entra multifactor authentication
introduction: |
Users in Microsoft Entra ID have two distinct sets of contact information:
- Public profile contact information, which is managed in the user profile and visible to members of your organization. For users synced from on-premises Active Directory, this information is managed in on-premises Windows Server Active Directory Domain Services.
- Authentication methods, which are always kept private and only used for authentication, including multifactor authentication. Administrators can manage these methods in a user's authentication method blade and users can manage their methods in Security Info page of MyAccount.
When managing Microsoft Entra multifactor authentication methods for your users, Authentication administrators can:
- Add authentication methods for a specific user, including phone numbers used for MFA.
- Reset a user's password.
- Require a user to re-register for MFA.
- Revoke sessions.
- Delete a user's existing app passwords
> [!NOTE]
> The screenshots in this topic show how to manage user authentication methods by using an updated experience in the Microsoft Entra admin center. There's also a legacy experience, and admins can toggle between the two using a banner in the admin center. The modern experience has full parity with the legacy experience, and it manages modern methods like Temporary Access Pass, passkeys, and other settings.
> The legacy experience in the Microsoft Entra admin center retired on Sept. 30, 2025. There's no action required by organizations before the retirement.
prerequisites:
summary: |
Microsoft Entra multifactor authentication, which is enabled by default.
procedureSection:
- title: |
Add or change authentication methods for a user
summary: |
You can add or change authentication methods for a user by using the Microsoft Entra admin center or Microsoft Graph PowerShell.
In the Microsoft Entra admin center, the legacy method for managing user authentication methods retires after Sept. 30, 2025.
> [!NOTE]
> For security reasons, public user contact information fields shouldn't be used to perform MFA. Instead, users should populate their authentication method numbers to be used for MFA.
:::image type="content" source="media/howto-mfa-userdevicesettings/add-authentication-method-detail.png" alt-text="Screenshot of how to add authentication methods from the Microsoft Entra admin center.":::
To add or change authentication methods for a user in the Microsoft Entra admin center:
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-administrator).
1. Browse to **Entra ID** > **Users**.
1. Choose the user for whom you wish to add or change an authentication method and select **Authentication methods**.
1. At the top of the window, select **+ Add authentication method**.
- Select a method (phone number or email). Email may be used for self-password reset but not authentication. When adding a phone number, select a phone type and enter phone number with valid format (such as `+1 4255551234`).
- Select **Add**.
Users can add or edit their own authentication methods in [My Sign Ins | Security info](https://mysignins.microsoft.com/security-info).
For example, to change the phone number, select **Phone number** and tap **Change**.
### Manage methods using PowerShell
Install the Microsoft.Graph.Identity.Signins PowerShell module using the following commands.
code: |
```powershell
Install-module Microsoft.Graph.Identity.Signins
Connect-MgGraph -Scopes "User.Read.all","UserAuthenticationMethod.Read.All","UserAuthenticationMethod.ReadWrite.All"
Select-MgProfile -Name beta
```
List phone based authentication methods for a specific user.
```powershell
Get-MgUserAuthenticationPhoneMethod -UserId [email protected]
```
Create a mobile phone authentication method for a specific user.
```powershell
New-MgUserAuthenticationPhoneMethod -UserId [email protected] -phoneType "mobile" -phoneNumber "+1 7748933135"
```
Remove a specific phone method for a user
```powershell
Remove-MgUserAuthenticationPhoneMethod -UserId [email protected] -PhoneAuthenticationMethodId 00aa00aa-bb11-cc22-dd33-44ee44ee44ee
```
Authentication methods can also be managed using Microsoft Graph APIs. For more information, see [Authentication and authorization basics](/graph/auth/auth-concepts).
- title: |
Manage user authentication options
summary: |
[Authentication Administrators](~/identity/role-based-access-control/permissions-reference.md#authentication-administrator) can require other users to reset their password, re-register for MFA, or revoke the user's sessions. Users can't update their own user object. To change or reset their own security methods, users can go to [Security info](https://aka.ms/security-info), or go to [self-service password reset](https://aka.ms/sspr) to reset their password. To manage other user's settings, complete the following steps:
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-administrator).
- |
Browse to **Entra ID** > **Users**.
- |
Choose the user you wish to perform an action on and select **Authentication methods**. At the top of the window, then choose one of the following options for the user:
- **Reset password** resets the user's password and assigns a temporary password that must be changed on the next sign-in.
- **Require re-register MFA** deactivates the user's hardware OATH tokens and deletes the following authentication methods from this user: phone numbers, Microsoft Authenticator apps and software OATH tokens. If needed, the user is requested to set up a new MFA authentication method the next time they sign in.
- **Revoke sessions** invalidates a user's refresh tokens, forcing reauthentication across active sessions and applications.
- title: |
Delete users' existing app passwords
summary: |
For users that have defined app passwords, administrators can also choose to delete these passwords, causing legacy authentication to fail in those applications. These actions may be necessary if you need to provide assistance to a user, or need to reset their authentication methods. Non-browser apps that were associated with these app passwords stop working until a new app password is created.
To delete a user's app passwords, complete the following steps:
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-administrator).
- |
Browse to **Entra ID** > **Users**.
- |
Select **Multifactor authentication**. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full window and menu location:
[](media/howto-mfa-userstates/selectmfa.png#lightbox)
- |
Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right.
- |
Select **Manage user settings**, then check the box for **Delete all existing app passwords generated by the selected users**, as shown in the following example:
- |
Select **save**, then **close**.
relatedContent:
- text: Configure Microsoft Entra multifactor authentication settings
url: howto-mfa-mfasettings.md
- text: User guide for Microsoft Entra multifactor authentication
url: https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc