We are trying to find a way to automate MFA reset on Azure B2C tenant. Basically, I am trying to replicate the "Require re-register multifactor authentication" functionality.
From what I understand from the documentation of Authentication Methods API (https://learn.microsoft.com/en-us/graph/api/resources/authenticationmethods-overview?view=graph-rest-1.0) is that each method has to be updated/deleted individually.
I was trying to delete phoneAutheticationMethod on Azure AD B2C tenant
DELETE /v1.0/users/{user object id}/authentication/phoneMethods/{id}/
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXA....
But I keep getting below error
{
"error": {
"code": "badRequest",
"message": "The requested authentication method id of [{phone method id}] matches the user's current default authentication method, and cannot be deleted until the default authentication method is changed",
"innerError": {
"message": "The requested authentication method id of [{phone method id}] matches the user's current default authentication method, and cannot be deleted until the default authentication method is changed",
"date": "2022-08-19T12:37:08",
"request-id": "8f8a3ed7-6154-4f37-9615-96b03fecccf5",
"client-request-id": "8f8a3ed7-6154-4f37-9615-96b03fecccf5"
}
}
}
Again from documentation reference, it appears that managing the default method is currently supported only through MSOL Get-MsolUser and Set-MsolUser cmdlets, using the StrongAuthenticationMethods property.
The first issue I faced was with connecting to the B2C tenant using the Connect-MsolService
cmdlet. I realised that we need to create a Local admin account in the B2C tenant and pass it as Credential to connect to the tenant. Please let me know if there is any other way, maybe using AccessTokens. GraphAPi tokens don't seem to work.
After connecting I did Get-MsolUser call to get Methods for a user as shown below. One of them is shown as default.
The interesting point here is that, when I do a GraphAPi call for authentication methods, the results are different.
https://graph.microsoft.com/beta/users/{id}/authentication/methods
Response:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#users('c93f3a73-30a8-4472-99df-fc9f866bdd3d')/authentication/methods",
"value": [
{
"@odata.type": "#microsoft.graph.phoneAuthenticationMethod",
"id": ".......",
"phoneNumber": "+XX XXXXXXXX14",
"phoneType": "mobile",
"smsSignInState": "notSupported"
},
{
"@odata.type": "#microsoft.graph.passwordAuthenticationMethod",
"id": "......",
"password": null,
"creationDateTime": null,
"createdDateTime": null
},
{
"@odata.type": "#microsoft.graph.softwareOathAuthenticationMethod",
"id": "......",
"secretKey": null
}
]
}
I tried to change the Authentication methods using Set-MsolUser
PS>$DummySMS = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
PS>$DummySMS.IsDefault = $true
PS>$DummySMS.MethodType = "OneWaySMS"
PS>Set-MsolUser -ObjectId "...object Id....." -StrongAuthenticationMethods $DummySMS
PS>Get-MsolUser -ObjectId "...object Id....." | select -ExpandProperty StrongAuthenticationMethods
ExtensionData IsDefault MethodType
------------- --------- ----------
System.Runtime.Serialization.ExtensionDataObject True OneWaySMS
So it seems as updated from Powershell, but when I do the GraphAPI call again there seems to be no change and the output is the same as before.
Please let me know if I am doing anything wrong. Also how to completely reset all MFA options from AutheticationMethods.