How to change Microsoft 365 users default MFA method

A Microsoft 365 user should use the Microsoft Authenticator app for Two-factor authentication (2FA) because it protects against password-based attacks. In Microsoft Entra ID, you can update the default Multi-Factor Authentication (MFA) method for a single user. But what if you want to set the default MFA for all the users at once? In this article, you will learn how to change the default MFA method for all users with PowerShell.

Table of contents

Microsoft 365 multifactor authentication

A user can sign into their Microsoft account using their username and password. However, passwords should have an extra layer of protection with more secure authentication methods. The Microsoft multifactor authentication adds extra security over only using a password when a user signs in.

Once you enable different authentication methods for your organization, each user can choose their own preferred MFA method. The user must provide extra verification, like approving a push notification, entering a code from a software or hardware token, or responding to a text message or phone call.

If the organization decides to use a default authentication method for all the users, you can change it in two ways:

  • Microsoft Entra ID (single user)
  • Microsoft Graph PowerShell (single and all users)

Change default authentication method in Microsoft Entra

To change the default sign-in method for a single user in Microsoft Entra ID, follow these steps:

  1. Sign into Microsoft Entra admin center
  2. Expand Identity > Users > All users
  3. Click on a user
Change default MFA method for single user in Microsoft Entra ID.
  1. Click Authentication methods
Change default authentication methods for single user in Microsoft Entra ID.
  1. Click on the arrow in the alert sign > Click here to use it now
Switch to the new user authentication experience.
  1. Check if the pencil icon for the Default sign-in method is not greyed out

Note: If the Default sign-in method (Preview) is greyed out, the user has no default MFA or only one sign-in method. Therefore, the user needs to add another Authentication method.

Change default MFA method for all users greyed out in Microsoft Entra ID.
  1. Click on the pencil icon next to your Default sign-in method (Preview)
Change default sign-in method for single user in Microsoft Entra ID.
  1. Select a default sign-in method (Microsoft Authenticator notification)
  2. Click Save

Note: Changing the default MFA for a user, will not delete the other authentication methods. If a user has multiple authentication methods, the other methods become secondary after the default method.

Select default-sign-in method for a single user in Microsoft Entra ID.

You successfully changed the default MFA for a single Microsoft 365 user in Microsoft Entra ID.

If you get an error notification after clicking the Save button, check the authentication methods policies and see if it’s enabled in Microsoft Entra ID. See the first section in the article Migrate legacy MFA and SSPR to Authentication methods policy.

Unable to save default sign-in method: Unable to save Voice call (primary mobile) as the default sign-in method. – Authentication method policy is not enabled for this user. UserPreferredMethodForSecondaryAuthentication cannot be updated.

Unable to change default MFA method for all users.

If you need to change the Authentication methods for multiple Microsoft 365 users to speed up the process, use PowerShell in the next step.

Change default MFA method with PowerShell

Let’s say that an organization decides to use a different default sign-in method for all Microsoft 365 users. Therefore, it’s much easier and faster to use a PowerShell script.

Multi-Factor Authentication (MFA) methods

The table below shows which authentication methods you can set for the users. You must specify the default method and use the correct MFA abbreviation in the PowerShell scripts in the next steps.

Authentication methodsDefault MFA abbreviations
Microsoft Authenticator notification on apppush
OATH TOTP (6-digit) one-time code on a third-party software appoath
SMS (6-digit) code as a text message on primary mobilesms
Voice call on the office phoneVoiceAlternateMobile
Voice call on primary mobileVoiceMobile
Voice call on the office phoneVoiceOffice

Connect to Microsoft Graph PowerShell

Before you start, you must Install the Microsoft Graph PowerShell module, including the Microsoft Graph Beta module.

Run the below commands to install the Microsoft Graph modules.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

You also need to connect to MS Graph with the below scopes.

Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.ReadWrite.All"

Change default MFA method for single user

To change the default MFA method for a single Microsoft 365 user, use the below PowerShell script:

  1. Type the UserPrincipalName of the user in line 5
  2. Specify the preferred MFA method in line 8
  3. Run the below PowerShell script
# Connect to Microsoft Graph using the specified authentication scopes
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All", "User.Read.All"

# Specify the user for whom you want to update the preferred method
$UserUPN = "Amanda.Hansen@m365info.com"

# Set the desired value for the preferred method
$PreferredMethod = "push"

# Get the user from Microsoft Graph
$User = Get-MgUser -UserId $UserUPN

# Create a JSON body template for the API request
$body = @{
    userPreferredMethodForSecondaryAuthentication = $PreferredMethod
}

# Construct the API endpoint URL for getting the user's authentication sign-in preferences
$uri = "https://graph.microsoft.com/beta/users/$($User.Id)/authentication/signInPreferences"

# Send a GET request to the API endpoint to check the user's preferred method
$Check = Invoke-MgGraphRequest -uri $uri -Method GET -OutputType PSObject

# Check if the user already has the preferred method set
if ($Check.userPreferredMethodForSecondaryAuthentication -eq $PreferredMethod) {
    Write-host "Default MFA method $PreferredMethod already set for $($User.UserPrincipalName)" -ForegroundColor Cyan
}
else {
    try {
        # Send a PATCH request to update the user's preferred method
        Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH -ErrorAction Stop
        Write-host "Default MFA method $PreferredMethod updated successfully for $($User.UserPrincipalName)" -ForegroundColor Green
    }
    catch {
        # The registered method is not found for the user
        Write-Host "Default MFA method $PreferredMethod is not registered by $($User.UserPrincipalName)" -ForegroundColor Yellow
    }
}

The PowerShell output result shows one of these three different outcomes:

Default MFA method push already set for Amanda.Hansen@m365info.com
Default MFA method push updated successfully for Amanda.Hansen@m365info.com
Default MFA method push is not registered by Amanda.Hansen@m365info.com

If the MFA method is not registered it means that the user needs to add the authentication method first.

Change default MFA method for all users

To update the authentication method for all the users in an organization, we need to use a PowerShell script.

In our example, we want to set Microsoft Authenticator as the default method for all users because it’s more secure than sending an SMS or getting a Phone call.

Run the PowerShell script below to change the default MFA method for all users:

  1. Specify the preferred MFA method in line 5
  2. Specify the path for the CSV file on line 6
# Connect to Microsoft Graph using the specified authentication scopes
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All", "User.Read.All"

# Set the desired value for the preferred method and the CSV file path
$PreferredMethod = "push"
$CsvPath = "C:\temp\MFAMethodReport.csv"

# Get all users from Microsoft Graph
$AllUsers = Get-MgUser -All

# Create a JSON body template for the API request
$body = @{
    userPreferredMethodForSecondaryAuthentication = $PreferredMethod
}

# Create an empty array to store the results
$results = @()

# Loop through each user
foreach ($User in $AllUsers) {
    # Construct the API endpoint URL for getting the user's authentication sign-in preferences
    $uri = "https://graph.microsoft.com/beta/users/$($User.Id)/authentication/signInPreferences"

    # Send a GET request to the API endpoint to check the user's preferred method
    $Check = Invoke-MgGraphRequest -uri $uri -Method GET -OutputType PSObject

    # Check if the user already has the preferred method set
    if ($Check.userPreferredMethodForSecondaryAuthentication -eq $PreferredMethod) {
        # Skip the user and add the result to the array
        Write-host "Default MFA method $PreferredMethod already set for $($User.UserPrincipalName)" -ForegroundColor Cyan
        $result = [PSCustomObject]@{
            DisplayName       = $User.DisplayName
            UserPrincipalName = $User.UserPrincipalName
            Status            = "Already set"
        }
        $results += $result
        continue
    }

    try {
        # Send a PATCH request to update the user's preferred method
        Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH -ErrorAction Stop
        $result = [PSCustomObject]@{
            DisplayName       = $User.DisplayName
            UserPrincipalName = $User.UserPrincipalName
            Status            = "Updated"
        }
        $results += $result
        Write-host "Default MFA method $PreferredMethod updated successfully for $($User.UserPrincipalName)" -ForegroundColor Green
    }
    catch {
        # The registered method is not found for the user
        Write-Host "Default MFA method $PreferredMethod is not registered by $($User.UserPrincipalName)" -ForegroundColor Yellow
        $result = [PSCustomObject]@{
            DisplayName       = $User.DisplayName
            UserPrincipalName = $User.UserPrincipalName
            Status            = "Method not registered"
        }
        $results += $result
    }
}

# Export the results to a CSV file
$results | Export-Csv -Path $csvPath -Encoding utf8 -NoTypeInformation
Write-Host "Results saved to $($CsvPath)" -ForegroundColor Cyan

At the end, you will get a CSV file report that shows the status for all users where the default method is:

  • Already set
  • Updated
  • Not registered

The CSV file shows for which users the update MFA method failed. If the results show not registered, it means the user has not set the default method (Microsoft Authenticator) you specified. The next step is to email these users so they can add the authentication method. After a couple of days, you can run the script again.

Go to C:\temp and open the MFAMethodReport.csv file with Microsoft Excel.

Change default MFA method for all users CSV file report.

That’s it.

Read more: How to improve Microsoft Entra MFA security »

Conclusion

You learned how to change the default MFA method for all users. In the Microsoft Entra admin center, you can only update the default sign-in for a single user. It’s much faster to use PowerShell and change the default authentication method for all users. When you update the MFA method for all users, it will export the default authentication method status to a CSV file report. It shows which users have already set, updated, or not registered the MFA method.

Did you enjoy this article? You may also Configure Conditional Access policy in Microsoft Entra. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

X Twitter

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *