How to Change the Default MFA Method for Microsoft 365 Users

Working as a consultant who regularly helps out our remote support and onboarding teams, I was approached to help on an issue where the default MFA method for a user account was needing to be changed to our password management tool, with the OTP phone application method. 

By default, while setting up a new user, they were asked to configure the Microsoft Authenticator app as part of the organisations MFA and SSPR (self-service password reset) requirements, so I could see why this would have been an issues in this case.

Administrators now, from within Microsoft Entra ID, can modify any user’s default MFA method directly from the admin portal, without the need to log in as said user. This hugely improves a support engineers experience assisting on every day authentication issues, as well as a consultants experience while assisting with migrations to stronger authentication methods.

In this post, I am going to address how you can use the Microsoft Entra admin portal to modify an existing users default MFA method.

Change default MFA methods from Microsoft Entra ID

  1. In Microsoft Entra, navigate to Users > All users.
  2. Select the user you wish to change the default MFA method for.
  3. From the left menu, select Authentication methods.
  4. Click Edit, next to Default sign-in method.
  5. Choose the new default MFA method and click save.
Change a users default mfa method
Change a users default mfa method

Once you have completed the above steps, the next time that user signs out of their Microsoft 365 apps and signs back in, they will initially be challenged with the new MFA method that you set.

If you need to update the default MFA method for multiple users in your organisation, that cannot be done through the Microsoft Entra admin portal. Instead, use Microsoft Graph PowerShell to perform bulk updates: Update Default MFA Methods with Microsoft Graph PowerShell (ourcloudnetwork.com)

What if the default sign-in method option is missing?

If when you go to modify a user’s authentication methods the options are missing to modify the defaults, it is likely that you are either using the legacy Authentication methods experience, or you do not have the correct role assigned. 

  1. Ensure you are at least a User Administrator in Microsoft Entra.
  2. Ensure you click the “Switch to the new user authentication methods experience!” link from within the portal.
switch to the new user authentication methods experience button
switch to the new user authentication methods experience button

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply