EntraLab

Change the Default MFA Method of a User via Graph PowerShell

·

Dan

This article will outline the steps to change the default MFA sign in method of a user or multiple users in bulk via Microsoft Graph Powershell Module.

What is a default sign in method ? Setting a method as default means it will be the method automatically shown to the user when the user must authenticate with a second factor.

Microsoft has made a recent change in Entra ID that allows admins to change or set the default MFA sign in method for a user via the Entra admin center/Azure portal. The functionality is still in preview, however it works.

Default sign-in method (Preview) option in Entra admin center
Make sure the option to view new user authentication methods experience is enabled.

While it is a nice addition for administrators to change a user’s default MFA method, if your organization requires you to change to for multiple user at a time, it can be difficult and time consuming going through each user. Unfortunately, we cannot do it in bulk via the Entra portal. We will have to use Powershell to do it via script.

Before we proceed further.

Make sure ‘System-preferred multifactor authentication’ option is set to ‘Disabled’ in Entra ID.

System-preferred multifactor authentication disabled in Entra ID.

When enabled, system-preferred MFA will let Entra ID choose the most secure multi-factor authentication method among the registered method and present it to the user. This override any default method the admin or the user sets manually.

Update Default MFA sign in method of a single user via Powershell

Install the Graph Powershell Module. We’ll be using the beta module as well. If you run into any issues during the installation of the module, please refer the Microsoft article for installing the module.

Install-Module Microsoft.Graph -Repository PSGallery -Force
Install-Module Microsoft.Graph.Beta -Repository PSGallery -Force

Connect to Graph using a global admin account and consent to permissions.

Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.ReadWrite.All"

View the user’s current default MFA method. (optional)

one user's current default MFA method via Powershell output
Get-MgBetaUserAuthenticationSignInPreference -UserId '<objectID of the user'

Update the user’s default MFA method using the command below.

Update-MgBetaUserAuthenticationSignInPreference -UserId '<objectID of the user>' -UserPreferredMethodForSecondaryAuthentication '<Value used in Graph from the table above>'

Sample screenshot below shows a user’s default MFA method being set to SMS.

screenshot shows a user's default MFA method being set to SMS.

You may run the Get-MgBetaUserAuthenticationSignInPreference cmdlet above again to check the default method now.

user's default MFA method showing as SMS now

BULK update Default MFA sign in method of multiple users via Powershell Script

Make sure to set the value for $NewDefaultMFAmethod in line 6 as per your preference for Default MFA method. Please refer to the table below for accepted values.

MFA methodsValue used in Graph
Microsoft Authenticator – notificationpush
6 digit TOTP ( third-party software app oath )oath
SMSsms
Voice call on primary mobile numberVoiceMobile
Voice call on office phone numberVoiceOffice
An alternate or backup mobile phone, usable only for voice callsalternateMobile
#Connect to Entra ID using your global admin account and consent to permissions. Make sure both Microsoft Graph Powershell and Microsoft Graph Powershell beta modules are installed.

Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All", "User.Read.All"

# set value for the preferred method for the default sign in method. Refer to the table in the article https://entralab.io/change-the-default-mfa-method-of-a-user-via-powershell
$NewDefaultMFAmethod = "push"

# Microsoft Graph Powershell cmdlet to get all users in the tenant
$Users = Get-MgUser -All


# Powershell script to go through each user stored in $Users
foreach ($User in $Users) {

    # Get the current default sign in method of the user even null
    $currentMFAmethod = Get-MgBetaUserAuthenticationSignInPreference -UserId $User.Id

    # Check whether your preferred MFA method is already set as the default sign in method
    if ($currentMFAmethod.userPreferredMethodForSecondaryAuthentication -eq $NewDefaultMFAmethod) {
        Write-Host "Default MFA method $NewDefaultMFAmethod already set for $($User.UserPrincipalName)" -ForegroundColor Cyan
        continue
        }

    # Set the user's default MFA method to your preferred method specified in $NewDefaultMFAmethod
    try {
        Update-MgBetaUserAuthenticationSignInPreference -UserId $User.Id -SignInPreference @{userPreferredMethodForSecondaryAuthentication = $NewDefaultMFAmethod }
        Write-Host "Default MFA method updated to $NewDefaultMFAmethod for $($User.UserPrincipalName) successfully." -ForegroundColor Green
        }    

     #If the user has not registered your preffered default MFA method 
    catch { 
        Write-Host "Default MFA method $NewDefaultMFAmethod is not registered by $($User.UserPrincipalName)" -ForegroundColor Yellow
        }
   
       
}

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *