I'm trying to figure out if there's a way in M365 Admin or Entra to make every user in the tenant re-register their authenticator app or phone number for multifactor authentication (MFA). The previous IT team had MFA enabled but then disabled it for some reason. Now that we've re-enabled it, most users are receiving login requests to outdated phone numbers or apps, which is creating a real mess since there are hundreds of users affected. I really need a bulk option for resetting MFA for all users, but every time I look for solutions online, I'm just getting directed to conditional access settings, which isn't applicable to my situation.
5 Answers
Try getting all users in Entra, excluding your admin account and any management accounts, and then clear all MFA settings. Just be prepared for some users to reach out for help since not everyone understands MFA well.
If you're not familiar with PowerShell, it's definitely worth learning. You can use the following commands to reset MFA for users:
- Remove-MgUserAuthenticationPhoneMethod
- Remove-MgUserAuthenticationSoftwareOauthMethod
- Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod
You should check in Entra under Multifactor authentication. Just select all users with the top checkbox, then go to User MFA settings and choose 'Require selected users to provide contact methods again.' That should help.
I saw that option too, but I'm still getting reports from users about issues. I thought that was the fix based on what it says, though.
You could also think about a script that fetches all users and resets them, but make sure you’re using the right commands related to Entra, not AD. It's a bit tricky. Just make sure to adapt this to the context of your environment!
Those commands look like they might be for AD, while you probably want Entra commands. Make sure you’re checking the right documentation or resources!
Love it. PowerShell is where it's at, thank you!