Migrating users off SMS MFA when option is on tenant wide

Question

Our tenant has text messaging (SMS) as an MFA option tenant wide and want to phase it out slowly due the org size and possible support call volume. We want to use robocall and the auth app as the only 2 options for MFA. SSPR is not active for staff.

We're looking for a process to create groups of lets say 250 users and do the following:

• Perform a bulk reset of MFA enrollment via PowerShell via csv
• Create a CA policy that when users re-enroll in MFA that the text messaging (SMS) option is NOT available (even though it's on tenant wide)

Is this possible? Is there a better way to approach this?
We're open to all possibilities as we must implement this migration shortly

Answer 1

As far as I'm aware there's no way do this via Conditional Access if the option is enabled tenant-wide, but if you select only certain methods under verification options then it will force new users to use those methods.

If you want to force already registered users to register again, you can clear the StrongAuthenticationRequirements attribute using:

Set-MsolUser -UserPrincipalName username@yourtenant.onmicrosoft.com -StrongAuthenticationRequirements @()  
  
Get-MsolUser -UserPrincipalName username@yourtenant.onmicrosoft.com | fl strong*  

To reset MFA method for all users in the tenant, run:

Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirements @()  

You can also export users to a csv file and run the command with foreach loop, if you want to clear this attribute for limited users.

See related discussion here.