Migrating users off SMS MFA when option is on tenant wide

Joe Calabria 41 Reputation points

Our tenant has text messaging (SMS) as an MFA option tenant wide and want to phase it out slowly due the org size and possible support call volume. We want to use robocall and the auth app as the only 2 options for MFA. SSPR is not active for staff.

We're looking for a process to create groups of lets say 250 users and do the following:

  • Perform a bulk reset of MFA enrollment via PowerShell via csv
  • Create a CA policy that when users re-enroll in MFA that the text messaging (SMS) option is NOT available (even though it's on tenant wide)

Is this possible? Is there a better way to approach this?
We're open to all possibilities as we must implement this migration shortly

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,882 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 34,791 Reputation points Microsoft Employee

    As far as I'm aware there's no way do this via Conditional Access if the option is enabled tenant-wide, but if you select only certain methods under verification options then it will force new users to use those methods.


    If you want to force already registered users to register again, you can clear the StrongAuthenticationRequirements attribute using:

    Set-MsolUser -UserPrincipalName username@yourtenant.onmicrosoft.com -StrongAuthenticationRequirements @()  
    Get-MsolUser -UserPrincipalName username@yourtenant.onmicrosoft.com | fl strong*  

    To reset MFA method for all users in the tenant, run:

    Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirements @()  

    You can also export users to a csv file and run the command with foreach loop, if you want to clear this attribute for limited users.

    See related discussion here.