With the Get-MessageTrace PowerShell cmdlet, you can view information on each mail sent and received…
How to change Microsoft 365 users default MFA method
A Microsoft 365 user should use the Microsoft Authenticator app for Two-factor authentication (2FA) because it protects against password-based attacks. In Microsoft Entra ID, you can update the default Multi-Factor Authentication (MFA) method for a single user. But what if you want to set the default MFA for all the users at once? In this article, you will learn how to change the default MFA method for all users with PowerShell.
Table of contents
Microsoft 365 multifactor authentication
A user can sign into their Microsoft account using their username and password. However, passwords should have an extra layer of protection with more secure authentication methods. The Microsoft multifactor authentication adds extra security over only using a password when a user signs in.
Once you enable different authentication methods for your organization, each user can choose their own preferred MFA method. The user must provide extra verification, like approving a push notification, entering a code from a software or hardware token, or responding to a text message or phone call.
If the organization decides to use a default authentication method for all the users, you can change it in two ways:
- Microsoft Entra ID (single user)
- Microsoft Graph PowerShell (single and all users)
Change default authentication method in Microsoft Entra
To change the default sign-in method for a single user in Microsoft Entra ID, follow these steps:
- Sign into Microsoft Entra admin center
- Expand Identity > Users > All users
- Click on a user
- Click Authentication methods
- Click on the arrow in the alert sign > Click here to use it now
- Check if the pencil icon for the Default sign-in method is not greyed out
Note: If the Default sign-in method (Preview) is greyed out, the user has no default MFA or only one sign-in method. Therefore, the user needs to add another Authentication method.
- Click on the pencil icon next to your Default sign-in method (Preview)
- Select a default sign-in method (Microsoft Authenticator notification)
- Click Save
Note: Changing the default MFA for a user, will not delete the other authentication methods. If a user has multiple authentication methods, the other methods become secondary after the default method.
You successfully changed the default MFA for a single Microsoft 365 user in Microsoft Entra ID.
If you get an error notification after clicking the Save button, check the authentication methods policies and see if it’s enabled in Microsoft Entra ID. See the first section in the article Migrate legacy MFA and SSPR to Authentication methods policy.
Unable to save default sign-in method: Unable to save Voice call (primary mobile) as the default sign-in method. – Authentication method policy is not enabled for this user. UserPreferredMethodForSecondaryAuthentication cannot be updated.
If you need to change the Authentication methods for multiple Microsoft 365 users to speed up the process, use PowerShell in the next step.
Change default MFA method with PowerShell
Let’s say that an organization decides to use a different default sign-in method for all Microsoft 365 users. Therefore, it’s much easier and faster to use a PowerShell script.
Multi-Factor Authentication (MFA) methods
The table below shows which authentication methods you can set for the users. You must specify the default method and use the correct MFA abbreviation in the PowerShell scripts in the next steps.
Authentication methods | Default MFA abbreviations |
---|---|
Microsoft Authenticator notification on app | push |
OATH TOTP (6-digit) one-time code on a third-party software app | oath |
SMS (6-digit) code as a text message on primary mobile | sms |
Voice call on the office phone | VoiceAlternateMobile |
Voice call on primary mobile | VoiceMobile |
Voice call on the office phone | VoiceOffice |
Connect to Microsoft Graph PowerShell
Before you start, you must Install the Microsoft Graph PowerShell module, including the Microsoft Graph Beta module.
Run the below commands to install the Microsoft Graph modules.
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.
You also need to connect to MS Graph with the below scopes.
Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.ReadWrite.All"
Change default MFA method for single user
To change the default MFA method for a single Microsoft 365 user, use the below PowerShell script:
- Type the UserPrincipalName of the user in line 5
- Specify the preferred MFA method in line 8
- Run the below PowerShell script
# Connect to Microsoft Graph using the specified authentication scopes
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All", "User.Read.All"
# Specify the user for whom you want to update the preferred method
$UserUPN = "Amanda.Hansen@m365info.com"
# Set the desired value for the preferred method
$PreferredMethod = "push"
# Get the user from Microsoft Graph
$User = Get-MgUser -UserId $UserUPN
# Create a JSON body template for the API request
$body = @{
userPreferredMethodForSecondaryAuthentication = $PreferredMethod
}
# Construct the API endpoint URL for getting the user's authentication sign-in preferences
$uri = "https://graph.microsoft.com/beta/users/$($User.Id)/authentication/signInPreferences"
# Send a GET request to the API endpoint to check the user's preferred method
$Check = Invoke-MgGraphRequest -uri $uri -Method GET -OutputType PSObject
# Check if the user already has the preferred method set
if ($Check.userPreferredMethodForSecondaryAuthentication -eq $PreferredMethod) {
Write-host "Default MFA method $PreferredMethod already set for $($User.UserPrincipalName)" -ForegroundColor Cyan
}
else {
try {
# Send a PATCH request to update the user's preferred method
Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH -ErrorAction Stop
Write-host "Default MFA method $PreferredMethod updated successfully for $($User.UserPrincipalName)" -ForegroundColor Green
}
catch {
# The registered method is not found for the user
Write-Host "Default MFA method $PreferredMethod is not registered by $($User.UserPrincipalName)" -ForegroundColor Yellow
}
}
The PowerShell output result shows one of these three different outcomes:
Default MFA method push already set for Amanda.Hansen@m365info.com
Default MFA method push updated successfully for Amanda.Hansen@m365info.com
Default MFA method push is not registered by Amanda.Hansen@m365info.com
If the MFA method is not registered it means that the user needs to add the authentication method first.
Change default MFA method for all users
To update the authentication method for all the users in an organization, we need to use a PowerShell script.
In our example, we want to set Microsoft Authenticator as the default method for all users because it’s more secure than sending an SMS or getting a Phone call.
Run the PowerShell script below to change the default MFA method for all users:
- Specify the preferred MFA method in line 5
- Specify the path for the CSV file on line 6
# Connect to Microsoft Graph using the specified authentication scopes
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All", "User.Read.All"
# Set the desired value for the preferred method and the CSV file path
$PreferredMethod = "push"
$CsvPath = "C:\temp\MFAMethodReport.csv"
# Get all users from Microsoft Graph
$AllUsers = Get-MgUser -All
# Create a JSON body template for the API request
$body = @{
userPreferredMethodForSecondaryAuthentication = $PreferredMethod
}
# Create an empty array to store the results
$results = @()
# Loop through each user
foreach ($User in $AllUsers) {
# Construct the API endpoint URL for getting the user's authentication sign-in preferences
$uri = "https://graph.microsoft.com/beta/users/$($User.Id)/authentication/signInPreferences"
# Send a GET request to the API endpoint to check the user's preferred method
$Check = Invoke-MgGraphRequest -uri $uri -Method GET -OutputType PSObject
# Check if the user already has the preferred method set
if ($Check.userPreferredMethodForSecondaryAuthentication -eq $PreferredMethod) {
# Skip the user and add the result to the array
Write-host "Default MFA method $PreferredMethod already set for $($User.UserPrincipalName)" -ForegroundColor Cyan
$result = [PSCustomObject]@{
DisplayName = $User.DisplayName
UserPrincipalName = $User.UserPrincipalName
Status = "Already set"
}
$results += $result
continue
}
try {
# Send a PATCH request to update the user's preferred method
Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH -ErrorAction Stop
$result = [PSCustomObject]@{
DisplayName = $User.DisplayName
UserPrincipalName = $User.UserPrincipalName
Status = "Updated"
}
$results += $result
Write-host "Default MFA method $PreferredMethod updated successfully for $($User.UserPrincipalName)" -ForegroundColor Green
}
catch {
# The registered method is not found for the user
Write-Host "Default MFA method $PreferredMethod is not registered by $($User.UserPrincipalName)" -ForegroundColor Yellow
$result = [PSCustomObject]@{
DisplayName = $User.DisplayName
UserPrincipalName = $User.UserPrincipalName
Status = "Method not registered"
}
$results += $result
}
}
# Export the results to a CSV file
$results | Export-Csv -Path $csvPath -Encoding utf8 -NoTypeInformation
Write-Host "Results saved to $($CsvPath)" -ForegroundColor Cyan
At the end, you will get a CSV file report that shows the status for all users where the default method is:
- Already set
- Updated
- Not registered
The CSV file shows for which users the update MFA method failed. If the results show not registered, it means the user has not set the default method (Microsoft Authenticator) you specified. The next step is to email these users so they can add the authentication method. After a couple of days, you can run the script again.
Go to C:\temp and open the MFAMethodReport.csv file with Microsoft Excel.
That’s it.
Read more: How to improve Microsoft Entra MFA security »
Conclusion
You learned how to change the default MFA method for all users. In the Microsoft Entra admin center, you can only update the default sign-in for a single user. It’s much faster to use PowerShell and change the default authentication method for all users. When you update the MFA method for all users, it will export the default authentication method status to a CSV file report. It shows which users have already set, updated, or not registered the MFA method.
Did you enjoy this article? You may also Configure Conditional Access policy in Microsoft Entra. Don’t forget to follow us and share this article.
This Post Has 0 Comments