Manage user authentication methods for Microsoft Entra multifactor authentication

Users in Microsoft Entra ID have two distinct sets of contact information:

  • Public profile contact information, which is managed in the user profile and visible to members of your organization. For users synced from on-premises Active Directory, this information is managed in on-premises Windows Server Active Directory Domain Services.
  • Authentication methods, which are always kept private and only used for authentication, including multifactor authentication. Administrators can manage these methods in a user's authentication method blade and users can manage their methods in Security Info page of MyAccount.

When managing Microsoft Entra multifactor authentication methods for your users, Authentication administrators can:

  • Reset a user's password.
  • Require a user to re-register for MFA.
  • Revoke existing MFA sessions.
  • Delete a user's existing app passwords

Note

The screenshots in this topic show how to manage user authentication methods by using an updated experience in the Microsoft Entra admin center. There's also a legacy experience, and admins can toggle between the two using a banner in the admin center. The modern experience has full parity with the legacy experience, and it manages modern methods like Temporary Access Pass and other settings. The legacy experience in the Microsoft Entra admin center will be retired starting Oct 31, 2024. There's no action required by organizations before the retirement.

Prerequisites

Microsoft Entra multifactor authentication, which is enabled by default.

Manage user authentication options

Tip

Steps in this article might vary slightly based on the portal you start from.

Authentication Administrators can require other users to reset their password, re-register for MFA, or revoke existing MFA sessions from their user object. Users can't update their own user object. To change or reset their own security methods, users can go to Security info, or go to self-service password reset to reset their password. To manage other user's settings, complete the following steps:

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.

  2. Browse to Identity > Users > All users.

  3. Choose the user you wish to perform an action on and select Authentication methods. At the top of the window, then choose one of the following options for the user:

    • Reset password resets the user's password and assigns a temporary password that must be changed on the next sign-in.
    • Require re-register MFA deactivates the user's hardware OATH tokens and deletes the following authentication methods from this user: phone numbers, Microsoft Authenticator apps and software OATH tokens. If needed, the user is requested to set up a new MFA authentication method the next time they sign in.
    • Revoke MFA sessions clears the user's remembered MFA sessions and requires them to perform MFA the next time it's required by the policy on the device.

    Screenshot of manage authentication methods from the Microsoft Entra admin center.

Delete users' existing app passwords

For users that have defined app passwords, administrators can also choose to delete these passwords, causing legacy authentication to fail in those applications. These actions may be necessary if you need to provide assistance to a user, or need to reset their authentication methods. Non-browser apps that were associated with these app passwords will stop working until a new app password is created.

To delete a user's app passwords, complete the following steps:

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.

  2. Browse to Identity > Users > All users.

  3. Select Multifactor authentication. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full window and menu location: Screenshot of select multifactor authentication from the Users window in Microsoft Entra ID.

  4. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right.

  5. Select Manage user settings, then check the box for Delete all existing app passwords generated by the selected users, as shown in the following example: Screenshot of delete all existing app passwords.

  6. Select save, then close.