Update Default MFA Methods with Microsoft Graph PowerShell

Your default MFA method defines the initial challenge that is sent to you when you perform an interactive login to your Microsoft 365 account and you have MFA (multi-factor authentication) enforced. 

While having MFA deployed and enforced across your organisation is a great step towards better security, once deployed, maintenance can often be overlooked. For example, do you know what other methods of authentication your users have deployed, prior to them registering a more secure method, such as the Microsoft Authentication App? And if you don’t, you probably don’t know what their preferred method is during an interactive login challenge.

A good first step into moving to a consistent MFA state is to ensure that the users who have registered stronger methods, have them set as their primary authentication method during login. Other options such as system-preferred MFA method, however, this guide is tailored towards organisations that may not be ready for that move yet, or want to roll this out in phases.

In this tutorial, I am going to show you how you can use Microsoft Graph PowerShell to update the default authentication method for users with Microsoft Graph PowerShell.


To run the commands in this tutorial you must ensure that you can use the following permissions in your script:

  • UserAuthenticationMethod.ReadWrite.All
  • User.Read.All

You can either use a Global Administrator account to consent to these permissions during your first run of the script, or you can assign these permissions to your Microsoft Graph Command Line Tools application first, then connect with an account that holds the Authentication Policy Administrator role in Azure AD.

You must also ensure you have the Microsoft Graph PowerShell SDK installed and if you do, ensure it is on the latest available version. Follow my guide here: How To Install the Microsoft Graph PowerShell Module

All MFA methods

For this tutorial, in the scripts below, I have decided to deploy the push method as the default MFA method for each user. However, other options are available and even though some are highly not recommended, you can see them below:

  • push – Microsoft Authenticator push notifications with number matching.
  • oath – 6 digit (OTP) password with authentication app.
  • voiceMobile – Voice call answering with 6 digit code.
  • voiceAlternateMobile – Voice call answering with 6 digit code on alternative mobile.
  • voiceOffice – Voice call answering on office phone with 6 digit code.
  • sms – Text message with 6 digit code.
  • unknownFutureValue – Unsupported value.

Update the default MFA method for a single user

To update the default MFA method for a single user in your organisation, start by connecting to Microsoft Graph with the UserAuthenticationMethod.ReadWrite.All permission scope.

Connect-MgGraph -scopes UserAuthenticationMethod.ReadWrite.All

Then define the body of your request which will determine which is the preferred MFA method you will set for the user.

$body = @'
  "userPreferredMethodForSecondaryAuthentication": "push"

We also need to define the URI of the request, this URI specified the resource that we are going to update. First I recommend you use the Get-MgUser command to store information on the user, then pass this information into the URI.

$user = Get-MgUser -filter "UserPrincipalName eq '[email protected]'"

$uri = "https://graph.microsoft.com/beta/users/$($user.id)/authentication/signInPreferences"

To make the change, you will need to use the Invoke-MgGraphRequest cmdlet with the PATCH method, as currently there are no cmdlets which support this change.

Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH

Update the default MFA method for all users

You may want to update the default MFA method for multiple users in your organisation. Of course, if you want to apply to all users, you may be better off applying the system-preferred MFA context settings. However, this method is still useful especially if you want to ensure multiple users in a specific department have the correct default method set. 

For more detail on how to customise the Get-MgUser command to get a specific set of users, see my guide: How To Use Get-MgUser with Microsoft Graph PowerShell.

Connect-MgGraph -scopes UserAuthenticationMethod.ReadWrite.All, User.Read.All
$allusers = Get-MgUser -all

$body = @'
  "userPreferredMethodForSecondaryAuthentication": "placeholder"

$RegisteredMethod = "microsoftAuthenticator"   # Check method type
$PreferredMethod = "push"   # Define the preferred MFA method here
$body = $body -replace 'placeholder', $preferredmethod

Foreach ($user in $allusers) {
    $uri = "https://graph.microsoft.com/beta/users/$($user.id)/authentication/signInPreferences"
    $Check = Invoke-MgGraphRequest -uri $uri -Method GET -OutputType PSObject
    If ($Check.userPreferredMethodForSecondaryAuthentication -eq $PreferredMethod){
        Write-host "`n $($user.DisplayName) already has preferred method set to $PreferredMethod, Skipping..." -ForegroundColor Cyan
    If ((Get-MgUserAuthenticationMethod -UserId $user.id).AdditionalProperties.values -like $RegisteredMethod){
        try {
            Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH -ErrorAction Stop
        Catch {
            Write-Host "`n Unable to update user authentication method for $($user.DisplayName)"
        Write-host "Default MFA method has been successfully updated for $($user.DisplayName)" -ForegroundColor Green
    } Else {
        Write-Host "`n $RegisteredMethod has not been registered by $($user.UserPrincipalName)"-ForegroundColor Yellow

Fix error: UserPreferredMethodForSecondaryAuthentication cannot be updated

If you are attempting to update a user and receive the following error:

UserPreferredMethodForSecondaryAuthentication cannot be updated

It is likely that the user you are trying to update does not have the necessary MFA method registered already. There are a couple of ways you can verify which methods they have setup, the first is through PowerShell, run the following code to see which methods have been configured for a user

(Get-MgUserAuthenticationMethod -UserId %upn%).AdditionalProperties.values

Alternatively, the same information can be located through the Azure Active Directory portal. Firstly, go to Azure Active Directory > Protect & Secure > Authentication methods > User registration details

Then find your target user in the list and view the Methods registered column.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 5 Comments

  1. Brian


    I had to change the script to change all users slightly setting $RegisteredMethod = “#microsoft.graph.microsoftAuthenticatorAuthenticationMethod” otherwise it didn’t change the default for anyone. After that, it worked great!

  2. Martin

    when I try to update the default MFA method for a single user I get this error

    | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | PATCH https://graph.microsoft.com/beta/users/f93e2bfc-6918-4442-a024-56fec1655438/authentication/signInPreferences
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id: 8262ebc6-fc6f-48f6-92c8-1ac181923408
    client-request-id: 13080740-92b5-4e69-a276-0e0eaae3b571
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”Switzerland North”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”ZR2PEPF000000C9″}}
    Link: ;rel=”deprecation”;type=”text/html”
    Deprecation: Thu, 11 May 2023 23:59:59 GMT
    Sunset: Sun, 11 May 2025 23:59:59 GMT
    Date: Tue, 09 Jan 2024 17:45:05 GMT
    Content-Type: application/json
    Content-Encoding: gzip

    {“error”:{“code”:”badRequest”,”message”:”Invalid user default authentication method request.”,”innerError”:{“message”:”Invalid user default authentication method request.”,”date”:”2024-01-09T17:45:06″,”request-id”:”8262ebc6-fc6f-48f6-92c8-1ac181923408″,”client-request-id”:”13080740-92b5-4e69-a276-0e0eaae3b571″}}}

    Any idea?

    1. Daniel Bradley

      Hey Martin,

      I have retested the code on my tenant and it works fine. Does the user you are changing the method for have the new method registered already? You can run this to check:

      (Get-MgUserAuthenticationMethod -UserId $user.id).AdditionalProperties.values

      Also you can use the following to check the current config for the user:

      $uri = "https://graph.microsoft.com/beta/users/$($user.id)/authentication/signInPreferences"
      Invoke-MgGraphRequest -uri $uri -method GET -OutputType PSObject | fl

      Let me know.

  3. Martin

    By the way, how can I enable and enforce MFA using PowerShell? I have enabled Security defaults. Does it remove the need of enabling and enforcing MFA? When I logged in Microsoft 365 using a newly created user I`m asked only for downloading the MS Authenticator app. there is no option for SMS or call. I`m using a trial account. Could this be the reason?

    1. Daniel Bradley

      Hey Martin,

      If you are using Security default, that will be your only option. You absolutely do NOT want to be using SMS or Call as your MFA method, its very unsecure.

      Never-the-less, if you need more control, by an Microsoft Entra P1 license, then you can disable security defaults in favour of Conditional Access.

Leave a Reply