Today I want to show you how to easly reset Azure AD MFA settings.

In big organization is very frequent situation that users want to change their authentication method or phone number.
To make life easier I’ve prepared script which will reset Multi Factor Authentication settings for specific UserPrincipalName.

As input parameters to function two variables should be provided
– Credentials – PSCredential object (eg. gathered from Get-Credentail function)
– UserPrincipalName – UPN of the AAD user which should be modified

Example of usage:

$cred = Get-Credential
Reset-MFASettings -Credentials $cred -UserPrincipalName name.surname@domain

Ensure that you have below Powershell modules installed:
– MSOnline
– Azure AD

In first way function is connecting to Azure AD and checking if provided UserPrincipalName exist.
If UPN was found it is checking user role assigned. It’s necessary to check, because for user which has special role assigned Multi Factor Authentication settings can not be reset.
If there is no role, script reset StrongAuthenticationMethods and MFA settings are removed.
After that function send email with information to user and his manager that Multi Factor Authentication has been reset.

Once reset Azure AD MFA settings is completed in next logon user will see screen like on below picture.

Script:

function Reset-MFASettings {
    
    Param(
    [Parameter (Mandatory = $true)]
    [string] $UserPrincipalName,
    [Parameter (Mandatory = $true)]
    $Credentials
    )

    Connect-MSOLService -credential $credentials

    $MSOLUser = Get-MSOLUser -UserPrincipalName $UserPrincipalName | select FirstName
    $FirstName = $MSOLUser.FirstName

    if($MSOLUser -ne $Null)
    {
        $RoleAssigned = Get-MsolUserRole -UserPrincipalName $UserPrincipalName
        if($RoleAssigned -eq $Null)
        {
            Try
            {
                $AzureLogin = Login-AzureRmAccount -Credential $credentials
                $AzureConnect = Connect-AzureAD -Credential $credentials
                $UserManagerMail = (Get-AzureADUserManager -ObjectId $UserPrincipalName).Mail
            }
            Catch
            {
                $ExcMessage = $_.Exception.Message
                throw "Error: Can not connect to Azure AD!. Exception: $ExcMessage" 
            }
            
            Try
            {
                Set-MSOLUser -UserPrincipalName $UserPrincipalName -StrongAuthenticationMethods @()
                Write-output "MFA settings has been removed for account $UserPrincipalName"
            }
            Catch
            {
                $ExcMessage = $_.Exception.Message
                throw "Error: Can not remove MFA settings!. Exception: $ExcMessage"
            }

            Try
            {    
                $Body= "Dear $FirstName, <br><br>Please be informed that MFA settings for your account $UserPrincipalName has been removed."
                $Subject = "$Incident"
                $CredUserName = $Credentials.UserName
            
                Send-MailMessage `
                    -To $UserPrincipalName  `
                    -Cc $UserManagerMail  `
                    -Subject $Subject  `
                    -Body $Body `
                    -UseSsl `
                    -Port 587 `
                    -SmtpServer 'smtp.office365.com' `
                    -From $CredUserName `
                    -BodyAsHtml `
                    -Credential $Credentials
                            
            
                Write-Output "Mail has been send!"
            }
            Catch
            {
                $ExcMessage = $_.Exception.Message
                throw "Error: Can not send email!. Exception: $ExcMessage"
            }
        }
        else
        {
                Write-Output "Account $UserPrincipalName has special role assigned and MFA settings can not be removed."
        }
        
    }
    else
    {
        Write-output "User with UPN $UserPrincipalName does not exist!"
    }
}

I hope it will be usefull for some of you 🙂
Enjoy!