Share via

How to reset redemption status or reset MFA methods with Graph API

Zach Sheaman 20 Reputation points
2025-03-03T23:47:08.4066667+00:00

I have a requirement to allow administrators of our custom application to invite and manage users within our custom application. We currently leverage Graph API to invite external (B2B) users to our tenant and add them to the appropriate groups. This all works as expected.

Our latest requirement is to allow the MFA methods of an external user to be reset and send them an email. The most direct route to accomplish this based on the API documentation appears to be using the invitations endpoint and passing the "resetRedemption" flag as "true" in the request, along with the user's ID (object ID is my understanding). The approach I am following is outlined here: https://learn.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http#example-2-reset-the-redemption-status-of-a-guest-user

The application has been granted the following Microsoft Graph permissions, for various needs (including, but not only, this one):

  • Group.ReadWrite.All
  • GroupMember.ReadWrite.All
  • offline_access
  • openid
  • profile
  • User.Read
  • User.ReadWrite.All
  • UserAuthenticationMethod.ReadWrite.All

Admin consent has been granted for all permissions.

The user's email is not being changed; I wanted to call this out as the documentation indicates that the "request changes the user's email address..." and notes that the new email must be in the "other mail" list (which it is in my scenario, it is just the same/not changing). I'm uncertain if this nuance is the root cause of my problem to follow.

When executing the request to reset the redemption status, I am receiving the following error:

Microsoft.Graph.Models.ODataErrors.ODataError: Guest invitations not allowed for your company. Contact your company administrator for more details.

This seems like an inaccurate error, as we are able to invite guest users, and I just tested this during the process of trying to test the "reset redemption status" logic (Invited a new user => verified I can log in and configure MFA => Attempted to reset redemption status via Microsoft Graph => Received above error).

Any guidance would be appreciated. I am not the administrator in our Azure tenant, but I am working with an administrator to try to troubleshoot this problem, currently to no avail. I thought maybe this error was actually resulting because of the email scenario mentioned above (it isn't changing), but I was unable to confirm this as I received an insufficient privileges error when attempting to add a new/alternate email to the "otherMails" property of the user. I don't know why, as the documentation indicates the app should have the appropriate permissions (see above permissions), but I'm guessing that maybe the new permission I found may be required: "User-Mail.ReadWrite.All".

I'm open to alternatives to accomplishing the goal of an "MFA method reset", but would ideally still like to understand the above issue/endpoint. I have considered trying to get the user's list of authentication methods and then loop through and delete them, but the documentation lists that the "phone" method may not be deleted if it is the user's default authentication method. Unfortunately, phone being the default authentication method will be almost 100 percent of our target user population.

Thank you in advance for your help.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,270 questions
0 comments
Accepted answer
  1. Rajat Vashistha-MSFT 1,310 Reputation points Microsoft External Staff
    2025-03-04T09:57:50.1+00:00

    Hi Zach Sheaman,

    Thanks for reaching out to Microsoft!

    I've attempted to reproduce the issue by inviting a guest user and then resetting their redemption status using both application and delegated permissions. As expected, I was able to successfully perform these actions. Create invitation

    1. Invite a Guest User:

    User's image

    1. Reset the Redemption Status:

    User's image

    I would like to suggest checking the following:

    • B2B Invitations: Ensure that B2B invitations are not disabled on your tenant or restricted to administrators, as application permissions (app-only) won't work if there are such restrictions. Additionally, for app-only calls, the redemption status can't be reset if there are any roles assigned to the target user account. Reset the redemption status for a guest user
    • Permissions: Please also verify by using delegated permissions with least privilege of User Administrator rights assigned on the signed in user instead of application permissions.

    Even after verifying the above, if the issue still persists, I recommend you raise a support case with Microsoft Graph, a Support Engineer will be able to look into this issue and assist you better. You can raise support ticket from New support request - Microsoft Entra admin center or https://admin.microsoft.com/#/support/requests.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.