Azure B2C - MFA Reset using MSOL & GraphAPI

Sanal Somasundaran 11 Reputation points
2022-08-19T14:10:47.903+00:00

We are trying to find a way to automate MFA reset on Azure B2C tenant. Basically, I am trying to replicate the "Require re-register multifactor authentication" functionality.
From what I understand from the documentation of Authentication Methods API (https://learn.microsoft.com/en-us/graph/api/resources/authenticationmethods-overview?view=graph-rest-1.0) is that each method has to be updated/deleted individually.

I was trying to delete phoneAutheticationMethod on Azure AD B2C tenant

DELETE /v1.0/users/{user object id}/authentication/phoneMethods/{id}/   
Host: graph.microsoft.com  
Authorization: Bearer eyJ0eXA....  

But I keep getting below error

    {  
    "error": {  
        "code": "badRequest",  
        "message": "The requested authentication method id of [{phone method id}] matches the user's current default authentication method, and cannot be deleted until the default authentication method is changed",  
        "innerError": {  
            "message": "The requested authentication method id of [{phone method id}] matches the user's current default authentication method, and cannot be deleted until the default authentication method is changed",  
            "date": "2022-08-19T12:37:08",  
            "request-id": "8f8a3ed7-6154-4f37-9615-96b03fecccf5",  
            "client-request-id": "8f8a3ed7-6154-4f37-9615-96b03fecccf5"  
        }  
    }  
}  

Again from documentation reference, it appears that managing the default method is currently supported only through MSOL Get-MsolUser and Set-MsolUser cmdlets, using the StrongAuthenticationMethods property.

The first issue I faced was with connecting to the B2C tenant using the Connect-MsolService cmdlet. I realised that we need to create a Local admin account in the B2C tenant and pass it as Credential to connect to the tenant. Please let me know if there is any other way, maybe using AccessTokens. GraphAPi tokens don't seem to work.

After connecting I did Get-MsolUser call to get Methods for a user as shown below. One of them is shown as default.

232914-image.png

The interesting point here is that, when I do a GraphAPi call for authentication methods, the results are different.

https://graph.microsoft.com/beta/users/{id}/authentication/methods  
  
Response:  
{  
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users('c93f3a73-30a8-4472-99df-fc9f866bdd3d')/authentication/methods",  
    "value": [  
        {  
            "@odata.type": "#microsoft.graph.phoneAuthenticationMethod",  
            "id": ".......",  
            "phoneNumber": "+XX XXXXXXXX14",  
            "phoneType": "mobile",  
            "smsSignInState": "notSupported"  
        },  
        {  
            "@odata.type": "#microsoft.graph.passwordAuthenticationMethod",  
            "id": "......",  
            "password": null,  
            "creationDateTime": null,  
            "createdDateTime": null  
        },  
        {  
            "@odata.type": "#microsoft.graph.softwareOathAuthenticationMethod",  
            "id": "......",  
            "secretKey": null  
        }  
    ]  
}  

I tried to change the Authentication methods using Set-MsolUser

PS>$DummySMS = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod  
PS>$DummySMS.IsDefault = $true  
PS>$DummySMS.MethodType = "OneWaySMS"  
PS>Set-MsolUser -ObjectId "...object Id....." -StrongAuthenticationMethods $DummySMS  

PS>Get-MsolUser -ObjectId "...object Id....." | select -ExpandProperty StrongAuthenticationMethods  
ExtensionData                                    IsDefault MethodType  
-------------                                    --------- ----------  
System.Runtime.Serialization.ExtensionDataObject      True OneWaySMS  

So it seems as updated from Powershell, but when I do the GraphAPI call again there seems to be no change and the output is the same as before.

Please let me know if I am doing anything wrong. Also how to completely reset all MFA options from AutheticationMethods.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
38,547 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 2022-09-02T05:50:57.703+00:00

    Hello @Sanal Somasundaran and thanks for reaching out. MSOL user strong authentication methods and MS Graph user authentication methods are not the same, that's why changes in one do not reflect in the other one. As the error suggests you cannot delete a phone number that's the user default MFA authentication method. Changing or resetting the latter trough MS Graph is currently not supported.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.