Skip to content

Manage user-preferred multi-factor authentication method in Microsoft Entra ID

This post is all about setting the preferred multi-factor authentication method using Graph API. We already know the system-preferred multi-factor authentication method, where Microsoft Entra ID will use the strongest method of all the registered methods, but this time we take a look a the default method set by the user.

At the time of writing, the default method can only be set by using the new authentication sign-in preferences in Graph API; however, some of the API’s are already integrated into the Entra portal.

Update 02-08-2023: You can now change the default sign-in method from the Entra portal as well.

This information can also be retrieved using the Graph API directly. For the purpose of this demo, we use Graph Explorer.

GET https://graph.microsoft.com/beta/users/MeganB@M365x80658054.OnMicrosoft.com/authentication/signInPreferences

Ensure your account has the correct permissions to retrieve the data.

The response will have three values:

isSystemPreferredAuthenticationMethodEnabledIndicates whether system-preferred method is enabled for this user.
userPreferredMethodForSecondaryAuthenticationThe default second-factor method used by the user when signing in.
systemPreferredAuthenticationMethodIf system-preferred method is enabled, it will show the default/strongest method.

Now let’s see what the data looks like when a user is enabled for system-preferred authentication method.

As you can see, the user-preferred method is still ‘sms‘ but is overruled by the system-preferred method, which is now ‘Fido2‘.

Let’s see if we can change the user-preferred method.

PATCH https://graph.microsoft.com/beta/users/MeganB@M365x80658054.OnMicrosoft.com/authentication/signInPreferences

Request body:

{
    "userPreferredMethodForSecondaryAuthentication": "oath"
}

Possible values are push, oath, voiceMobile, voiceAlternateMobile, voiceOffice, sms, and unknownFutureValue

Now, if we check what the new values are, we can see the default method is changed to ‘oath‘.

There’s an app for that!

Looking at the new API’s and seeing that UX controls are still missing from the Entra portal, I decided to build a Powerapp around this API. The concept is pretty simple: PowerApps works as a front-end and is calling two Power Automate flows, one for getting the current settings and another one for updating the settings.

The PowerApp looks like this:

The app is also aware of the methods registered for/by the user, so it will greyed-out the methods that are not available or already set as the default method. All this info is gathered using Power Automate and various API calls.

{
  "userpreferredmethodforsecondaryauthentication": "sms",
  "systempreferredauthenticationmethod": "Sms",
  "issystempreferredauthenticationmethodenabled": true,
  "push_registered": false,
  "oath_registered": false,
  "voicemobile_registered": true,
  "voicealternatemobile_registered": false,
  "voiceoffice_registered": false,
  "sms_registered": true
}

I’ve uploaded the PowerApp sample to Github for you to download. Do know that this is far from production ready and is only to be used for educational purposes or as proof of concept.

Wrap things up

Having an API to set the default multi-factor authentication method can be handy during some projects. Wrapping it inside a PowerApp is even more fun, and I had a blast building this. The concept works with every API endpoint, so I hope this post might inspire you to build your own fancy PowerApp someday. Take a look at the sample from Github, and don’t hesitate to ask questions. I’m more than happy to help you out on your adventure.

Here you can find more information about the new API: authentication resource type – Microsoft Graph beta | Microsoft Learn

Stay safe!

2 thoughts on “Manage user-preferred multi-factor authentication method in Microsoft Entra ID”

  1. Pingback: Microsoft Roadmap, messagecenter en blogs updates van 13-07-2023 - KbWorks

  2. Pingback: Intune Newsletter - 14th July 2023 - Andrew Taylor

Leave a Reply

Your email address will not be published. Required fields are marked *