On Day 28 of Cybersecurity awareness month, learn how to boost security by removing phone authentication for Microsoft 365 users. Keep an eye out for more valuable insights in our M365 Cybersecurity blog series!
Did you know that, SIM swapping and Man-in-the-Middle (MitM) attacks skyrocketed by 400% between 2015 and 2022? Here are some eye-opening examples:
- 2024: The U.S. SEC’s X account fell victim to a SIM-swap attack.
- 2023: The Lapsus$ group used SIM swapping to breach major companies like Microsoft, Samsung, Uber, and more.
- 2019: Twitter’s CEO, Jack Dorsey, had his account hacked via SIM swapping.
What’s fueling this trend? It’s largely due to organizations and individuals relying on less secure MFA methods – SMS and voice calls, making them prime targets for attackers. Don’t let your Microsoft 365 organization become the prey of such attacks! Better take the lead now by removing phone-based MFA methods. Let’s see how to do it!
How to Delete Phone Authentication for Microsoft 365 Users
Admins can use three effective methods to delete phone-based MFA (SMS and voice calls). Let’s explore each method.
1. Remove Phone-based Authentication Method Using Entra Admin Center
To remove phone authentication via the Entra admin center, follow the below steps.
- Step 1: Sign in to the Microsoft Entra admin center.
- Step 2: Go to the Identity section and click on All Users under the Users section.
- Step 3: Select the user for whom you want to delete phone authentication.
- Step 4: Click the ellipsis (…) next to the “Phone number” listed under Usable Authentication Methods and select Delete.
2. Delete Phone Authentication for a User in Microsoft 365
Microsoft offers three phone types for MFA: primary, alternate, and office numbers. You can delete any of these configured phone authentication types for a user using MS Graph PowerShell by following the steps below.
- Open Windows PowerShell and connect to Microsoft Graph PowerShell.
- Once done, run the following cmdlet by replacing the user ID and Phone authentication method ID in the respective places.
|
1 |
Remove-MgUserAuthenticationPhoneMethod -UserId $userId -PhoneAuthenticationMethodId b6332ec1-7057-4abe-9331-3d72feddfe41 |
Example:
|
1 |
Remove-MgUserAuthenticationPhoneMethod -UserId John@contoso.com -PhoneAuthenticationMethodId b6332ec1-7057-4abe-9331-3d72feddfe41 |
This above example will remove the alternate mobile from John account.
3. Use PowerShell Script to Delete Phone Authentication for M365 Users
Why is this the recommended method? While the previous methods are effective for deleting phone MFA on a user-by-user basis, they can become tedious when dealing with bulk deletions. Repeating the same steps and cmdlets for multiple users is not only time-consuming but also prone to errors. That’s where our PowerShell script shines!
This powerful tool enables you to delete Phone MFA for all users at once, streamlining your work and saving you time.
Download script: ResetPhoneAuthentication.ps1
But that’s just one of its many capabilities! Here’s a sneak peek at the versatile features packed into our PowerShell script:
- Like said earlier, Microsoft provides users with three contact numbers: a primary, an office, and an alternate number. The catch? You have to remove each one individually to fully ditch phone-based MFA. But don’t sweat it! Our PowerShell script swoops in to save the day, letting you delete all those numbers in one swift move!
- Next up, let’s talk about use cases! This all-in-one PowerShell script tackles real-time scenarios effortlessly, streamlining the deletion of phone MFA for a variety of needs. Check out the user scopes it covers:
- Single user
- Bulk users
- All users
- Admin accounts
- Guest users
- Licensed users
- Disabled users
- Confirmation is simple! After running the script, a detailed log will be generated, allowing you to easily review which user accounts have had phone authentication removed.
Let’s explain the possible cases that can be done via this PowerShell script in detail now.
1. Delete phone MFA for a Microsoft 365 user using PowerShell
2. Delete phone authentication for multiple users
3. Delete phone MFA for all users
4. Delete phone MFA for admins using PowerShell
5. Delete phone MFA for guest users
6. Remove phone MFA for disabled users
7. Remove phone MFA for licensed users
Note:
- This script doesn’t support removing phone authentication for your own Microsoft 365 account.
- Additionally, if phone authentication is set as the default method for users, the script will not remove it for those accounts.
- This script will not remove phone MFA for users who are part of the restricted management within the Administrative Unit.
1. Delete SMS and Voice Call MFA for a User Using PowerShell
This case will arise when a user loses their phone and is unable to sign in to their Microsoft 365 account. If that device ends up in the wrong hands, the SMS or voice call authentication methods can be exploited, enabling unauthorized access to sensitive information. To safeguard against such risks, you can easily delete phone authentication by running the script as follows:
|
1 |
.\ResetPhoneAuthentication.ps1 |
You’ll be prompted to enter the user ID. Alternatively, you can pass the UPN or Object ID using the “–UserId” parameter to remove the registered phone number from the user.
|
1 |
.\ResetMFAMethods.ps1 –UserId <UPN> |
Example:
|
1 |
.\ResetPhoneAuthentication.ps1–UserId Michael@contoso.com |
This above example will remove the phone authentication from Michael account. Once removed, Michael will not be able to use the registered phone number to login to work account.
If you want to delete a specific type of phone authentication, use the “-ResetPhoneMFA” parameter. You can specify the parameter as “Primary Mobile”, “Alternate Mobile,” or “Office” to target a specific number:
|
1 |
.\ResetPhoneAuthentication.ps1 –UserId <UPN> -ResetPhoneMFA <PhoneMFAMethod>. |
Example:
|
1 |
.\ResetPhoneAuthentication.ps1 –UserId john@contoso.com -ResetPhoneMFA Office |
The above format will remove the Office mobile MFA from John’s account. You can also delete the old number if the user has changed their phone number for MFA and wants to add a new one.
2. Delete Phone Authentication for Multiple Users
Even if you set stronger methods as the default authentication, users may still opt for weak registered MFA methods, like SMS or voice calls, because they are simpler. You can identify those who frequently use SMS or voice calls MFA and add them to a CSV file.
Once the file is ready, you can use the “-CSVFilePath” parameter to specify the file path and remove Phone MFA for these users, ensuring they no longer rely on less secure authentication methods.
CSV Sample:
Cmdlet:
|
1 |
.\ResetPhoneAuthentication.ps1 –CSVFilePath <Path of CSV File> |
Example:
|
1 |
.\ResetPhoneAuthentication.ps1 –CSVFilePath D:\Bulkusers -ResetPhoneMFA “Primary Mobile” |
The above example will delete Primary phone numbers for “Gayle”, “Diego”, “Adele”, “John”, and “JoniS”.
3. Delete Phone MFA for All Microsoft 365 Users
Microsoft is taking the leap to phase out SMS and phone call MFA, making it essential for organizations to achieve security. Why wait for the change when you can lead the way? Delete phone authentication for all users and encourage a shift toward Microsoft Authenticator, or passkeys for secure sign in!
Take the first step by executing the script with the “-AllUsers” parameter:
|
1 |
.\ResetPhoneAuthentication.ps1 –AllUsers |
4. Delete Phone Number MFA for Office 365 Admins
Microsoft recommends admins to prioritize phishing resistant authentication methods to enhance security. To strengthen your defenses, it’s essential to remove the weaker authentication method—SMS and voice calls—from admin accounts, so that they use the registered passwordless authentication methods.
Simply run the script with the “-AdminsOnly” parameter and take a step towards a more secure environment.
|
1 |
.\ResetPhoneAuthentication.ps1 –AdminsOnly |
The above example will delete Phone MFA for all admins.
5. Delete Phone MFA for Guest users
Just deleting phone authentication for internal users isn’t sufficient to ensure security! Organizations that collaborate with external partners need to extend those measures to guest users as well, since threats can originate from anywhere!
It’s essential to remove phone authentication for guest users too, making them authenticate via secure MFA methods. To reset phone MFA for guest users, simply run the script with the “–GuestUsersOnly” parameter.
|
1 |
.\ResetPhoneAuthentication.ps1 –GuestUsersOnly |
The above will delete phone authentication for all guest users.
6. Remove Phone-based MFA for Disabled Users
During Microsoft 365 offboarding, disabling user accounts is an essential step on your checklist. Disabled users no longer need multi-factor authentication since they don’t require access to resources. To enhance compliance, you can delete the phone number linked to the user accounts.
To remove phone numbers and device details from the MFA, simply run the script with the “-DisabledUsersOnly” parameter:
|
1 |
.\ResetPhoneAuthentication.ps1 –DisabledUsersOnly |
For unlink other MFA methods and details, you can use the PowerShell script to reset all registered MFA methods.
7. Remove Phone-based Authentication from Office 365 Licensed Users
Users generally lose access to Microsoft 365 services once their licenses are removed. To streamline your script execution and avoid including these users, you can easily exclude them by running the script with the “-LicensedUsersOnly” parameter:
|
1 |
.\ResetPhoneAuthentication.ps1 -LicensedUsersOnly |
The above will delete phone-based authentication for all licensed users.
You can also run the script using Certificate-based Authentication by registering app in Entra ID.
|
1 |
.\ResetPhoneAuthentication.ps1 -TenantId <TenantId> -ClientId <ClientId> -CertificateThumbprint <Certthumbprint> |
You can create a self-signed certificate or CA certificate based on your requirement.
That’s it! I hope this blog helps you successfully remove phone authentication for users and improve security. If you have any questions, feel free to drop them in the comments!
