Delete all authentication methods for a user

[merill]

Copy this code into a new .ps1 file and run the .ps1 file.
Note that an error is displayed if the default auth method is being deleted before the other methods. The script tracks it and performs a final cleanup at the end to delete the default method.

A final check is run to confirm that all auth methods for the user have been deleted.

$userId = 'diegos@demotenant.onmicrosoft.com'
function DeleteAuthMethod($uid, $method){
    switch ($method.AdditionalProperties['@odata.type']) {
        '#microsoft.graph.fido2AuthenticationMethod' { 
            Write-Host 'Removing fido2AuthenticationMethod'
            Remove-MgUserAuthenticationFido2Method -UserId $uid -Fido2AuthenticationMethodId $method.Id
        }
        '#microsoft.graph.emailAuthenticationMethod' { 
            Write-Host 'Removing emailAuthenticationMethod'
            Remove-MgUserAuthenticationEmailMethod -UserId $uid -EmailAuthenticationMethodId $method.Id
        }
        '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod' { 
            Write-Host 'Removing microsoftAuthenticatorAuthenticationMethod'
            Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $uid -MicrosoftAuthenticatorAuthenticationMethodId $method.Id
        }
        '#microsoft.graph.phoneAuthenticationMethod' { 
            Write-Host 'Removing phoneAuthenticationMethod'
            Remove-MgUserAuthenticationPhoneMethod -UserId $uid -PhoneAuthenticationMethodId $method.Id
        }
        '#microsoft.graph.softwareOathAuthenticationMethod' { 
            Write-Host 'Removing softwareOathAuthenticationMethod'
            Remove-MgUserAuthenticationSoftwareOathMethod -UserId $uid -SoftwareOathAuthenticationMethodId $method.Id
        }
        '#microsoft.graph.temporaryAccessPassAuthenticationMethod' { 
            Write-Host 'Removing temporaryAccessPassAuthenticationMethod'
            Remove-MgUserAuthenticationTemporaryAccessPassMethod -UserId $uid -TemporaryAccessPassAuthenticationMethodId $method.Id
        }
        '#microsoft.graph.windowsHelloForBusinessAuthenticationMethod' { 
            Write-Host 'Removing windowsHelloForBusinessAuthenticationMethod'
            Remove-MgUserAuthenticationWindowsHelloForBusinessMethod -UserId $uid -WindowsHelloForBusinessAuthenticationMethodId $method.Id
        }
        '#microsoft.graph.passwordAuthenticationMethod' { 
            # Password cannot be removed currently
        }        
        Default {
            Write-Host 'This script does not handle removing this auth method type: ' + $method.AdditionalProperties['@odata.type']
        }
    }
    return $? # Return true if no error and false if there is an error
}

$methods = Get-MgUserAuthenticationMethod -UserId $userId
# -1 to account for passwordAuthenticationMethod
Write-Host "Found $($methods.Length - 1) auth method(s) for $userId"

$defaultMethod = $null
foreach ($authMethod in $methods) {
    $deleted = DeleteAuthMethod -uid $userId -method $authMethod
    if(!$deleted){
        # We need to use the error to identify and delete the default method.
        $defaultMethod = $authMethod
    }
}

# Graph API does not support reading default method of a user.
# Plus default method can only be deleted when it is the only (last) auth method for a user.
# We need to use the error to identify and delete the default method.
if($null -ne $defaultMethod){
    Write-Host "Removing default auth method"
    $result = DeleteAuthMethod -uid $userId -method $defaultMethod
}

Write-Host "Re-checking auth methods..."
$methods = Get-MgUserAuthenticationMethod -UserId $userId
# -1 to account for passwordAuthenticationMethod
Write-Host "Found $($methods.Length - 1) auth method(s) for $userId"

[Fogelson-PBSC]

Hi @merill I just saw your Graph tips webinar, which led me here.

I have written a very similar script to this to clear users' MFA methods. I wrote it using an App Reg and application permissions that are accessed via a front end tool so that our Service desk can clear users' MFA methods.

I have identified a couple of instances where this script will not work and in fact, for one of these instances, I'm having an issue as well, since I see no programmatic way to clear a user's MFA methods.

Suppose a user has the authenticator app configured as their default method as well as a primary and alternate mobile phone configured.
When this script runs, it will get an error removing the authenticator method, as it is the default and the script will set $defaultmethod to the authenticator method.
The next method is primary phone which will also receive an error, "Cannot delete mobile number without first deleting alternate mobile number." and the script will then replace $defaultmethod with this phone method. The script will then delete the alternate mobile phone and then attempt to delete this method again, which should work, but will then leave the authenticator app untouched and the script will need to be run again. This should be relatively simple fix, but I thought I'd mention it.

More importantly though, if a user has both a primary and alternate mobile phone and they then specify their alternate mobile phone as their default method, then we have a catch 22.
The primary mobile phone cannot be deleted, until the alternate mobile is deleted, but the alternate mobile cannot be deleted, until it is last, since it is the default. And since there is no way to change the default method administratively, there's no way to do this with a script.

And I've tried to delete these methods in the portal as well, with the same results. The only way to actually resolve the issue for the user is to "require re-register multi-factor authentication" in the portal. This was easily completed programmatically in the past using "Set-MSOLUser -StrongAuthenticationMethods @()", but since this is now deprecated, there is currently no way to do it programatically.

Do you have any idea if this is a known issue and whether it will be addressed to allow deletion in this instance? Or maybe we can just get access to the "require re-register multi-factor authentication" flag via graph?

Thanks,
Jason

[manuel-falcao-magalhaes]

Hello @merill, thank you for this script.

Just to note that "Remove-MgUserAuthenticationWindowHelloForBusinessMethod" in the script should be "Remove-MgUserAuthenticationWindowsHelloForBusinessMethod" instead.

[merill]

Thanks. Fixed.

[frazeraccount]

I have version 1.27.0 of the Microsoft.Graph module installed, and it is indeed:
Get-MgUserAuthenticationWindowHelloForBusinessMethod

[frazeraccount]

This was corrected to Windows (plural) in subsequent version. I tested 2.20.0 and it is now correct.

[ZachEdwards7]

@merill I'd recommend setting $defaultMethod = $null right before the foreach loop. As it's written now, it will work as expected the first time, but subsequent runs will have the last user's defaultMethod stored from the previous execution

[merill]

Thanks @ZachEdwards7 good suggestion. Updated.

[frazeraccount]

This was probably a typo on the part of Microsoft's devs. To delete Windows Hello for Business methods the correct cmdlet includes the singular word "Window" not "Windows" (module version 1.27.0):

Remove-MgUserAuthenticationWindowHelloForBusinessMethod

[frazeraccount]

I checked version 2.20.0 and this has been corrected.

[frazeraccount]

Since VS Code called it out, I have to ask the question. What is the purpose of the $result variable?

[wmiss6]

Hi @merill, thanks for this script. I noticed that this script seems to experience an error when there are multiple authentication methods but the default device is the phone?

Found 2 auth method(s) for xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
Removing phoneAuthenticationMethod
Remove-MgUserAuthenticationPhoneMethod : The requested authentication method id of 
[xxxxxx-xxxx-xxxx-xxxxxx-[87](https://github.com/actions/runs/job/#step:3:88)] matches the user's current default authentication method, and cannot be deleted 
until the default authentication method is changed
Status: 400 (BadRequest)
ErrorCode: badRequest
Date: 2024-09-09T13:57:08
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : xxxxx-xxxx-xxxx-[94](https://github.com/actions/runs/job/#step:3:95)
client-request-id             : xxxxxx-xxxx-xxxxx-xxxxx-xxxxxxxxxxxx
x-ms-ags-diagnostic           : {"ServerInfo":{""}}
Date                          : Mon, 09 Sep 2024 13:57:07 GMT
At C:\Invoke-DeleteAuthMethod.ps1:25 char:17
+ ...             Remove-MgUserAuthenticationPhoneMethod -UserId $uid -Phon ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ UserId = ffaa... , Headers =  }:<>f__AnonymousType166`4) [Remove-Mg 
   UserAu...neMethod_Delete], Exception
    + FullyQualifiedErrorId : badRequest,Microsoft.Graph.PowerShell.Cmdlets.RemoveMgUserAuthenticationPhoneMethod_Dele 
   te

Is this a limitation of the api, the script or is there something I could do to prevent the issue? I know your code has these segments
which address the issue of trying to delete the default auth method, but as I mentioned it seems to cause an error when the phone is the default method:

$defaultMethod = $null
foreach ($authMethod in $methods) {
    $deleted = DeleteAuthMethod -uid $userId -method $authMethod
    if(!$deleted){
        # We need to use the error to identify and delete the default method.
        $defaultMethod = $authMethod
    }
}

# Graph API does not support reading default method of a user.
# Plus default method can only be deleted when it is the only (last) auth method for a user.
# We need to use the error to identify and delete the default method.
if ($null -ne $defaultMethod){
    Write-Host "Removing default auth method"
    $result = DeleteAuthMethod -uid $userId -method $defaultMethod
    write-host "result: $result"
}

Write-Host "Re-checking auth methods..."
$methods = Get-MgUserAuthenticationMethod -UserId $userId
# -1 to account for passwordAuthenticationMethod
Write-Host "Found $($methods.Length - 1) auth method(s) for $userId"

I confirmed that the script runs flawlessly after modifying the user's default method away from the phone.

For clarity, when I say the script errors, I mean that it terminates not allowing it to further process the request. Here is the output after switching the default method from phone to TOTP:

Found 2 auth method(s) for xxxxxx-xxxxx-xxxx-xxxx-xxxxxxx
Removing phoneAuthenticationMethod
Removing softwareOathAuthenticationMethod
Re-checking auth methods...
Found 0 auth method(s) for xxxxxx-xxxxx-xxxx-xxxxx-xxxxx[53](https://github.com//actions/runs/job/#step:3:54)

Again, thank you for sharing this script!

[merill]

You might need to run the script a few times. It's a problem with the API when it comes to deleting auth methods that are the default.