Microsoft has released new features to the Authentication Methods API. This will give us the possibility to add application permissions to the API, thus helping us to administer the Authentication Methods on our users.
By doing this you are able to Add, Change or Remove the phone number from authentication pane in Azure. You are also able to change default methods for the Multi-Factor Authentication sign-in aswell as remove a configuration of Authentication App for a user or all users by script.
Here´s how you can accomplish this:
- Log into the Azure portal as a Global Administrator.
- Navigate to the Azure AD extension and click on “App registrations” in the Manage section.
- Click on “New registration” button at the top of the page.
- Provide a name for the application (1), do not set a Redirect URI (2). For example you could use “Authentication Methods App Permissions” as the name.
- Click “Register”
- When the application is registered, copy the Application (client) ID value, and save the value for later.
- Click on “API permissions”, then click “Add a permission”
- Select “Microsoft Graph” and click on “Application permissions” and add the following permission: UserAuthenticationMethod.ReadWrite.All
- Under the API Permissions page, Click on Grant admin consent for… and follow the prompts
In this blog a colleague of mine describes how to create and connect with certificate. Connect Azure Automation Runbook script with service principal for AzureAD – Microsoft 365 Tech blog (cloudtech.nu)
PowerShell support will be released in the module https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.signins
Below is an example how you can connect and view, edit and remove settings via PowerShell:
Connect-AzureADUserAuthenticationMethod -TenantId customer.onmicrosoft.com -ClientID '<CLIENT ID FOR THE APP WHICH YOU WANT TO CONNECT TO>' -Thumbprint '<Thumbprint of your certificate>'
List settings for a specific user:
Get-AzureADUserAuthenticationMethod -ObjectId <ObjectId of the user>
Add new phone number and configure SMS on the user:
New-AzureADUserAuthenticationMethod -ObjectId <ObjectId of the user> -PhoneNumber +4670XXXXXXX -PhoneType mobile
Remove mobile phone number configuration for a user:
Remove-AzureADUserAuthenticationMethod -ObjectId <ObjectId of the user> -Phone -PhoneType mobile
Remove MS Authenticator configuration for a user:
Remove-AzureADUserAuthenticationMethod -ObjectId <ObjectId of the user> -MicrosoftAuthenticator -MethodId 6b5db7e3-ccec-45a9-bf6c-0183f69c9253
All of the above could also be accomplished by using the new MGraph Powershell Module as described here: