Script to Disable SMS Sign-In for Federated Users in Microsoft Graph
Disable SMS Sign-In for Federated Users
Section titled “Disable SMS Sign-In for Federated Users”This script connects to Microsoft Graph for a specified tenant and retrieves all users with a UserType of ‘Member.’ It filters users who use federated identities for sign-in and disables their SMS sign-in authentication method by targeting the corresponding phone authentication method ID. The script provides progress updates, showing the percentage of users processed, the remaining users, and the time taken for each operation.
Script Overview
Section titled “Script Overview”Ideal for: Azure AD administrators managing authentication methods for federated users
Key Features
Section titled “Key Features”| Feature | Capability | Business Value |
|---|---|---|
| Federated User Filtering | Identifies users with federated sign-in | Targeted authentication management |
| SMS Sign-In Disable | Removes SMS authentication method | Enhances security posture |
| Progress Tracking | Real-time processing updates | Operational visibility |
| Batch Processing | Efficient handling of multiple users | Scalable operations |
Script Implementation
Section titled “Script Implementation”Connect-MgGraph -TenantId "xxx.onmicrosfot.com" -Scopes "User.Read.All", "UserAuthenticationMethod.ReadWrite.All"
$allusers = Get-MgUser -Property id,Userprincipalname,identities,UserType -all -Filter {UserType eq 'Member'}$SMSenabled = $allusers | ? {$_.identities.SignInType -contains 'federated'}$phoneAuthenticationMethodId = "3179e48a-750b-4051-897c-87b9720928f7"$i = 0$SMSenabled | ForEach-Object { $runtime = Measure-Command { Disable-MgUserAuthenticationPhoneMethodSmsSignIn -UserId $_.Id -PhoneAuthenticationMethodId $phoneAuthenticationMethodId } | Select-Object -ExpandProperty TotalSeconds $i++ $Completed = ($i/$SMSenabled.count) * 100 $remain = $SMSenabled.count - $i Write-Progress -Activity "Removing Phone SignIn" -Status "Progress:$remain users remain, Last Run Time: $runtime" -PercentComplete $Completed}Configuration Requirements
Section titled “Configuration Requirements”Prerequisites
Section titled “Prerequisites”| Component | Requirement | Purpose |
|---|---|---|
| Microsoft Graph Module | Microsoft.Graph PowerShell module | API connectivity |
| Authentication Permissions | User.Read.All, UserAuthenticationMethod.ReadWrite.All | User and authentication method access |
| Admin Rights | Authentication Administrator or Global Administrator | Sufficient permissions to disable methods |
Configuration Parameters
Section titled “Configuration Parameters”| Parameter | Example | Description |
|---|---|---|
| TenantId | "contoso.onmicrosoft.com" | Target tenant for processing |
| Phone Authentication Method ID | "3179e48a-750b-4051-897c-87b9720928f7" | Fixed ID for SMS authentication |
Script Logic Flow
Section titled “Script Logic Flow”Processing Steps
Section titled “Processing Steps”-
Connect to Microsoft Graph
- Establish authenticated connection to specified tenant
- Verify required permissions
-
Retrieve User Data
- Get all member users with identity properties
- Filter for federated authentication users
-
SMS Sign-In Disable Process
- Iterate through federated users
- Disable SMS authentication method
- Track processing time and progress
-
Progress Monitoring
- Display completion percentage
- Show remaining user count
- Log operation performance metrics
User Filtering Logic
Section titled “User Filtering Logic”Target User Criteria
Section titled “Target User Criteria”| Criteria | Description | Purpose |
|---|---|---|
| UserType = ‘Member’ | Internal organization users | Exclude guest accounts |
| SignInType = ‘federated’ | Uses federated identity provider | Target specific authentication flow |
| SMS Authentication Enabled | Has active SMS sign-in method | Users requiring action |
Performance Monitoring
Section titled “Performance Monitoring”Progress Indicators
Section titled “Progress Indicators”| Metric | Description | Usage |
|---|---|---|
| Completion Percentage | (processed / total) * 100 | Overall progress tracking |
| Remaining Users | total - processed | Work remaining estimate |
| Runtime per User | Individual operation time | Performance analysis |
| Activity Status | Descriptive progress message | User-friendly feedback |
Security Considerations
Section titled “Security Considerations”Impact Assessment
Section titled “Impact Assessment”| Impact | Description | Mitigation |
|---|---|---|
| Authentication Change | Users lose SMS sign-in option | Ensure alternative methods available |
| Federated User Focus | Only affects federated authentication | Maintains local user SMS access |
| Batch Processing | Multiple users updated simultaneously | Monitor for authentication issues |
Conclusion
Section titled “Conclusion”Key Takeaway: This script provides targeted removal of SMS authentication for federated users, enhancing security posture while maintaining operational visibility through comprehensive progress tracking and performance monitoring.