How to disable per-user MFA using Microsoft Graph PowerShell

In my last post here, I demonstrated how to report the per-user MFA status of all users in your tenant using Microsoft Graph PowerShell. 

In this article, I will show you how to use Microsoft Graph PowerShell to disable per-user MFA in Microsoft Entra for a single user or for all users with per-user MFA enabled.

Requirements

As of June 2024, the per-user MFA settings are only available through the Beta Microsoft Graph endpoint. As such, to use PowerShell to obtain this information the following modules are necessary:

  • Microsoft.Graph.Authentication
  • Microsoft.Graph.Users

You will also require access to a Global Administrator account to consent to the User.Read.All and Policy.ReadWrite.AuthenticationMethod permission in Microsoft Graph.

Disable per-user MFA with Microsoft Graph PowerShell

To disable the per-user MFA status fo a single user using Microsoft Graph PowerShell, you can use the below example while entering the ID of the target user.

Connect-MgGraph -scopes Policy.ReadWrite.AuthenticationMethod
$body = @{"perUserMfaState" = "disabled"}

Invoke-MgGraphRequest -Method PATCH `
-Uri "/beta/users/<#USERIDHERE#>/authentication/requirements“ `
-Body $body

If you need to disable per-user MFA for multiple users at once, consider incorporating this example into a PowerShell loop. Us the below example to disable per-user MFA for all users in your tenant.

#Connet to Microsoft Graph
Connect-MgGraph -Scope Policy.ReadWrite.AuthenticationMethod

#Get all users and select only required properties
$allUsers = Get-MgUser -all -PageSize 999 -select Id, UserPrincipalName

#initialise array
$allUsersPerUserMFAState = [System.Collections.Generic.List[Object]]::new()

#Loop through each user and add results to array
Foreach ($user in $allusers){
    $pumfa = Invoke-MgGraphRequest -Method GET -Uri "/beta/users/$($user.id)/authentication/requirements" -OutputType PSObject
    $obj = [PSCustomObject][ordered]@{
        "User" = $user.UserPrincipalName
        "Per-user MFA State" = $pumfa.PerUserMfaState
    }
    $allUsersPerUserMFAState.Add($obj)
}

#output in grid view
$peruserUsers = $allUsersPerUserMFAState | Where {$_."Per-user MFA State" -eq "enabled"}

#Define request body
$body = @{"perUserMfaState" = "disabled"}

#Disable per-user MFA
Foreach ($PerUser in $peruserUsers){
    Invoke-MgGraphRequest -Method PATCH -Uri "/beta/users/$($PerUser.User)/authentication/requirements“ -Body $body
}

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply