Graph API equivalent of "Require re-register multifactor authentication" and "Revoke multifactor authentication sessions"

[luckman212]

I'm looking for a programmatic way (using Graph API SDK) to trigger the same function as Require re-register multifactor authentication and Revoke multifactor authentication sessions from the Entra ID portal.

In the event of a breach, it is important to be able to respond rapidly to lock the affected user account, so we wish to be able to automate this.

Is there an API equivalent that achieves the same result as manually clicking these 2 buttons?

[SeniorConsulting]

Hi luckman212,

For the first part of your question (require re-register MFA), the Graph API doesn't support it because things are done a little differently in Graph https://learn.microsoft.com/en-us/graph/api/resources/authenticationmethods-overview?view=graph-rest-1.0#what-authentication-methods-can-be-managed-in-microsoft-graph

The following authentication methods are not yet supported in Microsoft Graph v1.0

Require re-register MFA Represents a configuration that requires that when user signs in next time, they're requested to set up a new MFA authentication method. NOTE: This feature is replaced by the individual authentication method APIs listed above. These can be used to delete a user's existing registered authentication methods; once the user has no more methods, they'll be prompted to register the next time they sign in where strong authentication is required (the user can also register at any time using MySecurityInfo). This can be done using the Microsoft Entra admin center, Microsoft Graph APIs, and the Microsoft Graph Powershell SDK. The legacy version of this feature is currently supported only through the MSOLSet-MsolUser cmdlet, using the StrongAuthenticationMethods property.

Regarding the second part (Revoke multifactor authentication sessions), I haven't seen anything specifically after perusing the Graph API documentation, so I suspect it's not supported there either. I must admit, I haven't scoured this extensively though.

[luckman212]

Hmm. So is there a cmdlet that would achieve the same net effect as resetting the MFA methods? Open to any suggestions. If not, MS please consider this as a feature request!

[SeniorConsulting]

I'll see if I can get back to you on this one. If I run out of time, hopefully someone else can do so :)

I would imagine the result would be something like a:

$AuthMethods = Get-MgUserAuthenticationMethod -UserId $userId
ForEach ($AuthMethod in $AuthMethods){
    if ($AuthMethod.AdditionalProperties."@odata.type" -eq "#microsoft.graph.emailAuthenticationMethod"){
        Remove-MgUserAuthenticationEmailMethod -EmailAuthenticationMethodId $AuthMethod.id
    }
    if ($AuthMethod.AdditionalProperties."@odata.type" -eq "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"){
        Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -MicrosoftAuthenticatorAuthenticationMethodId $AuthMethod.id
    }
    if ($AuthMethod.AdditionalProperties."@odata.type" -eq "#microsoft.graph.fido2AuthenticationMethod"){
        Remove-MgUserAuthenticationFido2Method -Fido2AuthenticationMethodId $AuthMethod.id
    }
    if ($AuthMethod.AdditionalProperties."@odata.type" -eq "#microsoft.graph.windowsHelloForBusinessAuthenticationMethod"){
        Remove-MgUserAuthenticationFido2Method -Fido2AuthenticationMethodId $AuthMethod.id
    }
    if ($AuthMethod.AdditionalProperties."@odata.type" -eq "#microsoft.graph.phoneAuthenticationMethod"){
        Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $AuthMethod.id
    }
    if ($AuthMethod.AdditionalProperties."@odata.type" -eq "#microsoft.graph.phoneAuthenticationMethod"){
        Remove-MgUserAuthenticationPhoneMethod -PhoneAuthenticationMethodId $AuthMethod.id
    }
    if ($AuthMethod.AdditionalProperties."@odata.type" -eq "#microsoft.graph.softwareOathAuthenticationMethod"){
        Remove-MgUserAuthenticationSoftwareOathMethod -SoftwareOathAuthenticationMethodId $AuthMethod.id
    }
}

Please note that this is just something I've quickly whipped together. I have not tested this script for functionality, or safety. Please review and conduct your own testing.

It's probably a good thing to note that this project/forum handles the Graph SDK specifically, and not really the Graph API itself, so if you would like to submit a feature request, I'd recommend you head on over to: https://developer.microsoft.com/graph/support

[gaikovoi]

The portal does POST to the URL like this one when admin clicks "Request re-register MFA"

https: //graph.microsoft.com/beta/users/{user-object-id}/authentication/methods/resetTraditionalAuthenticationMethods

This Graph API method is 'undocumented' and has an extra layer of the authorization based on the claims in the token that Azure/Entra UI acquires. I'm unable to execute this method with 'standard' scopes like User.ReadWrite.All, UserAuthenticationMethod.ReadWrite.All, Directory.ReadWrite.All, Directory.Write.Restricted, etc. None of these work in PS or Graph Explorer. The only way it works is if I extract the token from browser and use Connect-MgGraph -AccessToken

E.g.

$token = "..."
Connect-MgGraph -AccessToken (ConvertTo-SecureString -String $token -AsPlainText -Force)
Invoke-MgGraphRequest -Method POST https://graph.microsoft.com/beta/users/$($user.Id)/authentication/methods/resetTraditionalAuthenticationMethods

[LeonarddeR]

@gaikovoi Have you tried to decrypt the contents of the JWT token to find out what additional scopes might be in there?

[gaikovoi]

@gaikovoi Have you tried to decrypt the contents of the JWT token to find out what additional scopes might be in there?

As I recall, there were no additional scopes in the token. I suspect the API verifies caller app id clam and accepts only tokens issues to the Az portal.

[rstolpe]

I did ask copilot about this and I did get this in return, don't know if it's working or not as I can't try it right now

# Import the required module
Import-Module Microsoft.Graph.Authentication

# Connect to Graph using Global Admin credentials
Connect-MgGraph

# Get the user
$user = Get-MgUser -UserId user@domain.com

# Disable MFA
Set-MgUser -UserId $user.Id -StrongAuthenticationMethods @()

# Enable MFA
$method = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphAuthenticationMethod
$method.MethodType = "phoneAppOTP"
Set-MgUser -UserId $user.Id -StrongAuthenticationMethods $method

What copilot ai says it does

This script first connects to Microsoft Graph using Global Admin credentials. Then it gets the user using their UserPrincipalName. After that, it disables MFA for the user and then enables it again. This will force the user to re-register for MFA the next time they sign in.