You can manage the authentication method as well as deactivate and reactivate the MFA for users through the Entra Admin center.
Note: You will need to have an administrator login to be able to access this link and view other user's authentication settings.
Login to the Entra Admin center using your credentials.
On the left hand side select Users and then All users.
Select the user you would like to view.
On the new screen that opens, click on Authentication methods to the left.
Here you will be able to see which authentication method has been enabled for the user, if any, under the Authentication method table. The default authentication method used by the user can be seen just above this.
Reset/Revoke MFA
If you would like to reset the MFA for a particular user, or you would like to revoke MFA sessions, follow the steps below.
Follow steps 1-4 from the top of this article..
Once on this screen you will see two options near the top of the screen:
Require re-register multifactor authentication - this will revoke any active MFA methods from this user and require them to set it up again on next login.
Revoke multifactor authentication sessions - this clears the user's remembered MFA sessions and requires them to perform MFA the next time it's required by the policy on the device.
Add authentication methods
You can also add authentication methods for a user. To do this:
Follow steps 1-4 from the top of this article..
On this screen, you will see Add authentication method near the top of the screen.
Note: if you cant see the Add Authentication Method, click “switch to the new user authentication methods experience”
Clicking this will bring a flyout pane from the right which allows you to choose an authentication method for the selected user.
Email - Allows you to enter an email address to receive one-time-use codes for login
Phone Number - Enter a phone number to receive one-time-use codes for login.
Temporary Access Pass - A time limited passcode which can be configured for single use or multiple. For more information please see the section below.
Temporary Access Pass
A temporary access pass allows you to generate a code that can be used for logins to the account selected. It will create a code which will act as a bypass for the specified period of time (up to 5 hours). To configure this, please follow the steps below.
Follow steps 1-4 from the top of this article..
Click Add authentication method near the top of the screen.
In the flyout pane, select Temporary Access Pass in the dropdown.
Delayed start time - Ticking this box allows you to specify when you would like the temporary access pass to be active from
Activation duration - How long you would like the temporary access pass to be active for (up to 5 hours).
Once all condition have been satisfied, click Add.
Once added, the details of the temporary access pass will be shown.
Prove the pass to the user. Do not provide the secure registration link to the user.
Once the user logs in, they will be prompted for the access pass rather than the usual MFA prompt.
Amend MFA details
You can also change the number for the user in the event that they don't have access to the old phone. To do this:
Follow steps 1-4 from the top of this article..
In the Phone field you can input the user's new number.
It will need to be in the specific format of +44 7123456789.
You can also add an alternate phone number or email address for recovery purposes in the corresponding fields.
Once entered, hit Save at the top.
If you have any further queries regarding this, please raise a new case online and reference the title of this article.