Your default MFA method defines the initial challenge that is sent to you when you perform an interactive login to your Microsoft 365 account and you have MFA (multi-factor authentication) enforced.
While having MFA deployed and enforced across your organisation is a great step towards better security, once deployed, maintenance can often be overlooked. For example, do you know what other methods of authentication your users have deployed, prior to them registering a more secure method, such as the Microsoft Authentication App? And if you don’t, you probably don’t know what their preferred method is during an interactive login challenge.
A good first step into moving to a consistent MFA state is to ensure that the users who have registered stronger methods, have them set as their primary authentication method during login. Other options such as system-preferred MFA method, however, this guide is tailored towards organisations that may not be ready for that move yet, or want to roll this out in phases.
In this tutorial, I am going to show you how you can use Microsoft Graph PowerShell to update the default authentication method for users with Microsoft Graph PowerShell.
Pre-requisites
To run the commands in this tutorial you must ensure that you can use the following permissions in your script:
- UserAuthenticationMethod.ReadWrite.All
- User.Read.All
You can either use a Global Administrator account to consent to these permissions during your first run of the script, or you can assign these permissions to your Microsoft Graph Command Line Tools application first, then connect with an account that holds the Authentication Policy Administrator role in Azure AD.
You must also ensure you have the Microsoft Graph PowerShell SDK installed and if you do, ensure it is on the latest available version. Follow my guide here: How To Install the Microsoft Graph PowerShell Module
All MFA methods
For this tutorial, in the scripts below, I have decided to deploy the push method as the default MFA method for each user. However, other options are available and even though some are highly not recommended, you can see them below:
- push – Microsoft Authenticator push notifications with number matching.
- oath – 6 digit (OTP) password with authentication app.
- voiceMobile – Voice call answering with 6 digit code.
- voiceAlternateMobile – Voice call answering with 6 digit code on alternative mobile.
- voiceOffice – Voice call answering on office phone with 6 digit code.
- sms – Text message with 6 digit code.
- unknownFutureValue – Unsupported value.
Update the default MFA method for a single user
To update the default MFA method for a single user in your organisation, start by connecting to Microsoft Graph with the UserAuthenticationMethod.ReadWrite.All permission scope.
Connect-MgGraph -scopes UserAuthenticationMethod.ReadWrite.All
Then define the body of your request which will determine which is the preferred MFA method you will set for the user.
$body = @'
{
"userPreferredMethodForSecondaryAuthentication": "push"
}
'@
We also need to define the URI of the request, this URI specified the resource that we are going to update. First I recommend you use the Get-MgUser command to store information on the user, then pass this information into the URI.
$user = Get-MgUser -filter "UserPrincipalName eq '[email protected]'"
$uri = "https://graph.microsoft.com/beta/users/$($user.id)/authentication/signInPreferences"
To make the change, you will need to use the Invoke-MgGraphRequest cmdlet with the PATCH method, as currently there are no cmdlets which support this change.
Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH
Update the default MFA method for all users
You may want to update the default MFA method for multiple users in your organisation. Of course, if you want to apply to all users, you may be better off applying the system-preferred MFA context settings. However, this method is still useful especially if you want to ensure multiple users in a specific department have the correct default method set.
For more detail on how to customise the Get-MgUser command to get a specific set of users, see my guide: How To Use Get-MgUser with Microsoft Graph PowerShell.
Connect-MgGraph -scopes UserAuthenticationMethod.ReadWrite.All, User.Read.All
$allusers = Get-MgUser -all
$body = @'
{
"userPreferredMethodForSecondaryAuthentication": "placeholder"
}
'@
$RegisteredMethod = "microsoftAuthenticator" # Check method type
$PreferredMethod = "push" # Define the preferred MFA method here
$body = $body -replace 'placeholder', $preferredmethod
Foreach ($user in $allusers) {
$uri = "https://graph.microsoft.com/beta/users/$($user.id)/authentication/signInPreferences"
$Check = Invoke-MgGraphRequest -uri $uri -Method GET -OutputType PSObject
If ($Check.userPreferredMethodForSecondaryAuthentication -eq $PreferredMethod){
Write-host "`n $($user.DisplayName) already has preferred method set to $PreferredMethod, Skipping..." -ForegroundColor Cyan
Continue
}
If ((Get-MgUserAuthenticationMethod -UserId $user.id).AdditionalProperties.values -like $RegisteredMethod){
try {
Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH -ErrorAction Stop
}
Catch {
Write-Host "`n Unable to update user authentication method for $($user.DisplayName)"
Continue
}
Write-host "Default MFA method has been successfully updated for $($user.DisplayName)" -ForegroundColor Green
} Else {
Write-Host "`n $RegisteredMethod has not been registered by $($user.UserPrincipalName)"-ForegroundColor Yellow
}
}
Fix error: UserPreferredMethodForSecondaryAuthentication cannot be updated
If you are attempting to update a user and receive the following error:
UserPreferredMethodForSecondaryAuthentication cannot be updated
It is likely that the user you are trying to update does not have the necessary MFA method registered already. There are a couple of ways you can verify which methods they have setup, the first is through PowerShell, run the following code to see which methods have been configured for a user
(Get-MgUserAuthenticationMethod -UserId %upn%).AdditionalProperties.values
Alternatively, the same information can be located through the Azure Active Directory portal. Firstly, go to Azure Active Directory > Protect & Secure > Authentication methods > User registration details.
Then find your target user in the list and view the Methods registered column.
Thanks!
I had to change the script to change all users slightly setting $RegisteredMethod = “#microsoft.graph.microsoftAuthenticatorAuthenticationMethod” otherwise it didn’t change the default for anyone. After that, it worked great!
when I try to update the default MFA method for a single user I get this error
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| PATCH https://graph.microsoft.com/beta/users/f93e2bfc-6918-4442-a024-56fec1655438/authentication/signInPreferences
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 8262ebc6-fc6f-48f6-92c8-1ac181923408
client-request-id: 13080740-92b5-4e69-a276-0e0eaae3b571
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”Switzerland North”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”ZR2PEPF000000C9″}}
Link: ;rel=”deprecation”;type=”text/html”
Deprecation: Thu, 11 May 2023 23:59:59 GMT
Sunset: Sun, 11 May 2025 23:59:59 GMT
Date: Tue, 09 Jan 2024 17:45:05 GMT
Content-Type: application/json
Content-Encoding: gzip
{“error”:{“code”:”badRequest”,”message”:”Invalid user default authentication method request.”,”innerError”:{“message”:”Invalid user default authentication method request.”,”date”:”2024-01-09T17:45:06″,”request-id”:”8262ebc6-fc6f-48f6-92c8-1ac181923408″,”client-request-id”:”13080740-92b5-4e69-a276-0e0eaae3b571″}}}
Any idea?
Hey Martin,
I have retested the code on my tenant and it works fine. Does the user you are changing the method for have the new method registered already? You can run this to check:
(Get-MgUserAuthenticationMethod -UserId $user.id).AdditionalProperties.values
Also you can use the following to check the current config for the user:
$uri = "https://graph.microsoft.com/beta/users/$($user.id)/authentication/signInPreferences"
Invoke-MgGraphRequest -uri $uri -method GET -OutputType PSObject | fl
Let me know.
By the way, how can I enable and enforce MFA using PowerShell? I have enabled Security defaults. Does it remove the need of enabling and enforcing MFA? When I logged in Microsoft 365 using a newly created user I`m asked only for downloading the MS Authenticator app. there is no option for SMS or call. I`m using a trial account. Could this be the reason?
Hey Martin,
If you are using Security default, that will be your only option. You absolutely do NOT want to be using SMS or Call as your MFA method, its very unsecure.
Never-the-less, if you need more control, by an Microsoft Entra P1 license, then you can disable security defaults in favour of Conditional Access.