Bulk Sign out and Force Password Change

Microsoft Graph Powershell

Updated to use Microsoft Graph after being reminded of the retirement of MSOnline and AzureAD PowerShell modules. Would like to find a nicer way to reset the MFA methods, but this appears to work well. Enjoy! -S

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/action-required-msonline-and-azuread-powershell-retirement---2025-info-and-resou/4364991techcommunity.microsoft.com

# Connect to Microsoft Graph, check context
Connect-MgGraph -Scopes "User.ReadWrite.All"
Connect-MgGraph -Scopes "Directory.AccessAsUser.All"
get-mgcontext

# Define the UserPrincipalNames to exclude or include
$excludedUsers = @("[email protected]", "[email protected]")
$includedUsers = @("[email protected]")

# Retrieve all users and filter for licensed users to exclude or include
#excluded users
$licensedUsers = Get-MgUser -All -ConsistencyLevel eventual -Select DisplayName,UserPrincipalName,AssignedLicenses | Where-Object { $_.AssignedLicenses.Count -gt 0 -and $_.UserPrincipalName -notin $excludedUsers }
$licensedUsers

#included users
$licensedUsers = Get-MgUser -All -ConsistencyLevel eventual -Select DisplayName,UserPrincipalName,AssignedLicenses | Where-Object { $_.AssignedLicenses.Count -gt 0 -and $_.UserPrincipalName -in $includedUsers }
$licensedUsers


###Org wide force password change on next sign in - TESTING OK 5/1/25 S
$PasswordProfile = @{ ForceChangePasswordNextSignIn = $true }
foreach ($licensedUser in $licensedUsers) { Update-MgUser -userid $licensedUser.UserPrincipalName -PasswordProfile $PasswordProfile }

###Force remove all sessions - TESTING OK 5/1/25 S
foreach ($licensedUser in $licensedUsers) { Revoke-MgUserSignInSession -userid $licensedUser.UserPrincipalName }

###Force reset MFA methods - TESTING OK 5/1/25 S
foreach ($licensedUser in $licensedUsers)  {
    $methods = Get-MgUserAuthenticationMethod -UserId $licensedUser.UserPrincipalName
    foreach ($method in $methods) {
        switch ($method.AdditionalProperties['@odata.type']) {
            "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod" {
                Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $licensedUser.UserPrincipalName -MicrosoftAuthenticatorAuthenticationMethodId $method.Id
            }
            "#microsoft.graph.phoneAuthenticationMethod" {
                Remove-MgUserAuthenticationPhoneMethod -UserId $licensedUser.UserPrincipalName -PhoneAuthenticationMethodId $method.Id
            }
            "#microsoft.graph.emailAuthenticationMethod" {
                Remove-MgUserAuthenticationEmailMethod -UserId $licensedUser.UserPrincipalName -EmailAuthenticationMethodId $method.Id
            }
            "#microsoft.graph.softwareOathAuthenticationMethod" {
                Remove-MgUserAuthenticationSoftwareOathMethod -UserId $licensedUser.UserPrincipalName -SoftwareOathAuthenticationMethodId $method.Id
            }
            Default {
                Write-Host "Skipping unknown authentication method type: $($method.AdditionalProperties['@odata.type'])"
            }
        }
    }
}

PreviousScripts

Last updated 1 month ago