All code for this blog can be found here.

I've been trailblazing with Azure since 2016. Before 2016, I set up an Entra ID (formerly Azure Active Directory) tenant for my O365/Exchange Online environment. Over the years, I've built up a wealth of knowledge in the identity space, supporting enterprise customers. My last role at Microsoft even found me in the Identity and Network Access Program Group. To me, this is one of those blog posts that makes sense to put out there, as customers still have issues. I also think confusion is real and I'm still seeing a wave of Azure adoption by enterprises across the globe.

Anyone who manages Microsoft Entra ID has gotten this request before. A user calls you up in a panic. Their phone is gone, the Authenticator app was uninstalled, or they just cannot get past the MFA prompt. Then comes the question:

“Can you reset my MFA?”

It sounds straightforward, but in practice “reset MFA” can mean several different things. If you do not clarify, you might wipe out more than you intended or not fix the actual problem at all.

In Microsoft Entra ID, a reset typically falls into three categories:

1. Force the user to re-register MFA methods

2. Revoke existing MFA sessions so the user is prompted again

3. Remove or update specific authentication methods, like a phone number or an old authenticator app

Let’s go through each scenario, talk about when you might use it, and walk through how to handle it in both the Entra admin center and Graph PowerShell.

1. Forcing MFA Re-Registration

This is the nuclear option. It clears all MFA methods for a user, and they must register new ones the next time they log in. Choose this path if they have lost their device or you suspect the account may have been compromised.

Portal method:

1. Sign in to entra.microsoft.com.

2. Go to Identity → Users → All users.

3. Select the user.

4. Under Authentication methods, select Require re-register multifactor authentication.

   
   

The next time the user logs in, they will be prompted to set up MFA again.

Graph PowerShell method:

# Connect to Microsoft Graph with the right scopes
Connect-MgGraph -Scopes "User.ReadWrite.All","Directory.AccessAsUser.All"

# Clear all MFA methods for the user
Get-MgUserAuthenticationMethod -UserId [email protected] | ForEach-Object {
    Remove-MgUserAuthenticationMethod -UserId [email protected] -AuthenticationMethodId $_.Id
}

2. Revoking Existing MFA Sessions

Sometimes a user simply needs to be prompted for MFA again. Maybe they checked the “remember me” option, and now they are too trusted for comfort. You do not need to wipe their methods in this case. Just revoke the session.

Portal method:

1. Go to Users → [User] → Authentication methods.

2. Select Revoke MFA sessions.

This clears their remembered MFA state and forces re-authentication.

Graph PowerShell method:

# Revoke refresh tokens and force reauthentication
Revoke-MgUserSignInSession -UserId [email protected]

3. Removing or Updating Specific Methods

Sometimes you do not want to wipe everything. Maybe the user still has their authenticator app, but the backup phone number is outdated. In that case, just remove or update the specific method.

Portal method:

1. Go to Users → [User] → Authentication methods.

2. You will see all registered methods, including phone numbers, authenticator apps, and FIDO keys.

3. Select the method you want to remove or update.

Graph PowerShell method:

# List all authentication methods
Get-MgUserAuthenticationMethod -UserId [email protected]

# Remove a phone method
Remove-MgUserAuthenticationPhoneMethod `
   -UserId [email protected] `
   -PhoneAuthenticationMethodId <MethodId>

Replace <MethodId> with the identifier you get from the listing command.

Wrapping Up

When someone asks you to reset their MFA in Microsoft Entra ID, do not assume they mean the same thing every time. Reset can mean:

• Clear all methods so the user must re-register

• Revoke existing sessions so the user is prompted again

• Remove or update just one method that is no longer valid

Knowing the difference saves you time and prevents frustration for your users. With both the Entra admin center and Graph PowerShell in your toolkit, you can handle MFA resets quickly and in the way that fits the situation.