Microsoft is now release new features to Authentication Methods API. One of the most missing component was Application Permissions that are now in Public Preview. What mean with Application support? You can connect and change sign-in methods for all users. Before was only delegated permission an option and the you need to sign-in with each user to do the change the user settings.

From now you are able to Add, Change or Remove the phone number from authentication pane in Azure. You are also able to change default methods for the Multi Faktor Authentication sign-in. You can also remove an configuration of Authentication App for a user or all users by script.

  1. Log into the Azure portal as a Global Administrator.
  2. Navigate to the Azure AD extension and click on “App registrations” in the Manage section.
  3. Click on “New registration” button at the top of the page.
  4. Provide a name for the application, do not set a Redirect URI. eg “Authentication Methods App Permissions”
  1. Click “Register”
  2. When the application is registered, copy the Application (client) ID value, and save the value for later.
  1. Click on “API permissions”, then click “Add a permission”
  2. Select “Application permissions” and add the following permission: UserAuthenticationMethod.ReadWrite.All
  3. Under the API Permissions page, Click on Grant admin consent for… and follow the prompts.

In this blog I describe how to create and connect with certificate. Connect Azure Automation Runbook script with service principal for AzureAD – Microsoft 365 Tech blog (cloudtech.nu)

PowerShell support will be releasing in the module https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.signins

Below is an example how you can connect and view, edit and remove settings via PowerShelll.

Connect-AzureADUserAuthenticationMethod -TenantId customer.onmicrosoft.com -ClientID 'a549f699-ecc5-434f-a4bs-60dwwfaefb1c' -Thumbprint 'BD5C844DA9195A749AA45B347235345571C99AA6'

List a user settings

Get-AzureADUserAuthenticationMethod -ObjectId 1d10eb54-f49d-4693-9bb8-0522b3a7d33c

Add new phone number and configure SMS on the user

New-AzureADUserAuthenticationMethod -ObjectId 1d10eb54-f49d-4693-9bb8-0522b3a7d33c -PhoneNumber +4670XXXXXXX -PhoneType mobile

Remove mobile phone number configuration for a user

Remove-AzureADUserAuthenticationMethod -ObjectId 1d10eb54-f49d-4693-9bb8-0522b3a7d33c -Phone -PhoneType mobile

Remove Microsoft Authenticator App configuration for a user

Remove-AzureADUserAuthenticationMethod -ObjectId 1d10eb54-f49d-4693-9bb8-0522b3a7d33c -MicrosoftAuthenticator -MethodId 6b5db7e3-ccec-45a9-bf6c-0183f69c9253