Admin can now change default Entra ID MFA method
Many of my customers have been using Entra ID (Azure Active Directory) MFA for ages. The problem for many of the early adopters is that many users enrolled to use SMS as the default method. Even if they have run campaigns and adoption events, some users just wont change. Some manage to configure the Authenticator app but skip to change the method to default, and keep using SMS. Previously, admins were unable to change the default MFA method. But now there is a change!
Now you can as an admin change the default Entra ID MFA method! This week in Azure portal we have a new setting called “Default sign-in method (Preview)”
To change the Default Entra ID MFA method
- Open Entra Admin Center
- Expand Users node and select All Users
- Search and open properties for the user you want to change
- Select Authentication Methods node
- If you end up on this page view, you need to select Switch to the new user authentication methods experience! Click here to use it now.
- Now you are displayed with a more modern admin page for authentication methods. On this page you can:
- See the user existing valid and non-valid authentication methods
- Add new authentication methods to the user
- See the system prefered MFA method for the user
- Require the user to re-register MFA
- Revoke the user MFA sessions
- Reset the user Password
- Set the default sign-in method
- Select the new Default sign-in method
- Set the new default sign-in method for the user
This can also be done by Graph API on https://graph.microsoft.com/beta/users/USERNAME/authentication/signInPreferences
Just Patch value for userPreferredMethodForSecondaryAuthentication
I will probably get back to that in my next blog!