Following Microsoft’s anticipated changes, we are phasing out the management action “Reset MFA” in favor of the new action “Remove all the authentication methods”. Both actions will be available until March 2025 to ensure a smooth transition. This article outlines the key differences between these two actions and provides guidance for making the necessary updates before the transition is fully implemented.
Key differences
Cmdlet update
The “Reset MFA” action relies the MSOnline cmdlet Reset-MsolStrongAuthenticationMethodByUpn, which will be phased out by Microsoft in March 2025.
To ensure uninterrupted service, please update all workflows and permissions utilizing the “Reset MFA” action to the new “Remove all the authentication methods” action before this deadline.
Field change
The “Reset MFA” action operates on a field known as “Strong authentication methods”, whereas the new action will use the field “Registered authentication methods”. Both fields can be accessed through the user's report.
Authentication methods that can be removed
The “Remove all the authentication methods” action allows the removal of the following authentication methods:
- FIDO2
- Microsoft Authenticator
- Phone
- Software Authenticator
- Temporary access pass
- Windows Hello for Business
It is important to note that password authentication is not included in this list, as Microsoft does not permit its removal through this action.
Consent permissions
To utilize the “Remove all the authentication methods” action, the consent permission required is UserAuthenticationMethod.ReadWrite.All. This is identical to the permission already necessary for managing MFA. If organizational or individual consent has not been granted yet, it will be mandatory to do so to effectively use the new action.
Workflow
The “Remove all the authentication methods” action is also available as a workflow action.