Updated to use Microsoft Graph after being reminded of the retirement of MSOnline and AzureAD PowerShell modules. Would like to find a nicer way to reset the MFA methods, but this appears to work well. Enjoy! -S
# Connect to Microsoft Graph, check context
Connect-MgGraph -Scopes "User.ReadWrite.All"
Connect-MgGraph -Scopes "Directory.AccessAsUser.All"
get-mgcontext
# Define the UserPrincipalNames to exclude or include
$excludedUsers = @("user1@domain.com", "user2@domain.com")
$includedUsers = @("user3@domain.com")
# Retrieve all users and filter for licensed users to exclude or include
#excluded users
$licensedUsers = Get-MgUser -All -ConsistencyLevel eventual -Select DisplayName,UserPrincipalName,AssignedLicenses | Where-Object { $_.AssignedLicenses.Count -gt 0 -and $_.UserPrincipalName -notin $excludedUsers }
$licensedUsers
#included users
$licensedUsers = Get-MgUser -All -ConsistencyLevel eventual -Select DisplayName,UserPrincipalName,AssignedLicenses | Where-Object { $_.AssignedLicenses.Count -gt 0 -and $_.UserPrincipalName -in $includedUsers }
$licensedUsers
###Org wide force password change on next sign in - TESTING OK 5/1/25 S
$PasswordProfile = @{ ForceChangePasswordNextSignIn = $true }
foreach ($licensedUser in $licensedUsers) { Update-MgUser -userid $licensedUser.UserPrincipalName -PasswordProfile $PasswordProfile }
###Force remove all sessions - TESTING OK 5/1/25 S
foreach ($licensedUser in $licensedUsers) { Revoke-MgUserSignInSession -userid $licensedUser.UserPrincipalName }
###Force reset MFA methods - TESTING OK 5/1/25 S
foreach ($licensedUser in $licensedUsers) {
$methods = Get-MgUserAuthenticationMethod -UserId $licensedUser.UserPrincipalName
foreach ($method in $methods) {
switch ($method.AdditionalProperties['@odata.type']) {
"#microsoft.graph.microsoftAuthenticatorAuthenticationMethod" {
Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $licensedUser.UserPrincipalName -MicrosoftAuthenticatorAuthenticationMethodId $method.Id
}
"#microsoft.graph.phoneAuthenticationMethod" {
Remove-MgUserAuthenticationPhoneMethod -UserId $licensedUser.UserPrincipalName -PhoneAuthenticationMethodId $method.Id
}
"#microsoft.graph.emailAuthenticationMethod" {
Remove-MgUserAuthenticationEmailMethod -UserId $licensedUser.UserPrincipalName -EmailAuthenticationMethodId $method.Id
}
"#microsoft.graph.softwareOathAuthenticationMethod" {
Remove-MgUserAuthenticationSoftwareOathMethod -UserId $licensedUser.UserPrincipalName -SoftwareOathAuthenticationMethodId $method.Id
}
Default {
Write-Host "Skipping unknown authentication method type: $($method.AdditionalProperties['@odata.type'])"
}
}
}
}