Script to Reset User Authentication Methods and Add to Group Using Microsoft Graph

This script connects to Microsoft Graph, resets user authentication methods, and adds users to a specified group based on data from a CSV file. It clears existing authentication methods (such as email, phone, Microsoft Authenticator, and OTP), sets SMS as the default authentication method, and resets the user’s password if applicable. Afterward, the script adds the user to the specified Azure AD group and generates a report of any temporary passwords assigned, exporting the results to a CSV file.

Here is the script:

<#

ChristieC@M365x95969042.OnMicrosoft.com #> $GroupID = “xxx” $CSVPath = “$HOME\Desktop\Users.csv” $TenantId = “xxx.onmicrosoft.com”

function ConvertTo-PsObject {     param (         [hashtable] $Value     )

    foreach ( $key in $Value.Keys | Where-Object { $Value[$_].GetType() -eq @{}.GetType() } ) {         $Value[$key] = ConvertTo-PsObject $Value[$key]     }

    New-Object PSObject -Property $Value | Write-Output } function Reset-UserSecurityInfo {     [CmdletBinding()]     param (         [Parameter(Mandatory=$true)]         [Microsoft.Graph.PowerShell.Models.MicrosoftGraphUser]$User,         [Parameter(Mandatory=$true)]         [String]$PhoneNumber     )

    Revoke-MgUserSignInSession -UserId $($User.Id) | Out-Null     $AuthenticationMethod = Get-MgUserAuthenticationMethod -UserId $($User.Id)     switch ($($AuthenticationMethod.Id)) {         “3ddfcfc8-9383-446f-83cc-3ab9be4be18f” {                                                 Remove-MgUserAuthenticationEmailMethod -UserId $($User.Id) -EmailAuthenticationMethodId “3ddfcfc8-9383-446f-83cc-3ab9be4be18f”                                                  Write-Output “Removing $($User.UserPrincipalName) Email Authentication Method”                                                }         “3179e48a-750b-4051-897c-87b9720928f7” {                                                 Update-MgUserAuthenticationPhoneMethod -UserId $($User.Id) -PhoneAuthenticationMethodId “3179e48a-750b-4051-897c-87b9720928f7” -PhoneNumber $PhoneNumber                                                 Write-Output “Updating $($User.UserPrincipalName) Phone to $PhoneNumber”                                                 }         “28c10230-6103-485e-b985-444c60001490” {                                                 $TempPass = Reset-MgUserAuthenticationMethodPassword -UserId $($User.Id) -AuthenticationMethodId “28c10230-6103-485e-b985-444c60001490”                                                 Write-Output “Reseting $($User.UserPrincipalName) Password”                                                 }     }     $AuthenticationMethod | Where-Object {$.AdditionalProperties.’@odata.type’ -eq “#microsoft.graph.microsoftAuthenticatorAuthenticationMethod”} | ForEach-Object {         Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $($User.Id) -MicrosoftAuthenticatorAuthenticationMethodId $($.Id)         Write-Output “Removing $($User.UserPrincipalName) Microsoft Authenticator $($.AdditionalProperties.displayName)”     }     $AuthenticationMethod | Where-Object {$.AdditionalProperties.’@odata.type’ -eq “#microsoft.graph.softwareOathAuthenticationMethod”} | ForEach-Object {         Remove-MgUserAuthenticationSoftwareOathMethod -UserId $($User.Id) -SoftwareOathAuthenticationMethodId $($_.Id)         Write-Output “Removing $($User.UserPrincipalName) OTP”     }     $Passwordless = Get-MgBetaUserAuthenticationPasswordlessMicrosoftAuthenticatorMethod -UserId $($User.Id)     if($Passwordless){         Remove-MgBetaUserAuthenticationPasswordlessMicrosoftAuthenticatorMethod -PasswordlessMicrosoftAuthenticatorAuthenticationMethodId $($Passwordless.Id) -UserId $($User.Id)         Write-Output “Removing $($User.UserPrincipalName) Passwordless”     }     $script:UserTempPass = $($TempPass.NewPassword) } function Set-SMSasDefaultAuthentication {     param (         [Parameter(Mandatory=$true)]         [String]$UserId,         [Parameter(Mandatory=$true)]         [String]$PhoneNumber     )     try {         $url = “https://graph.microsoft.com/beta/users/$UserId/authentication/signInPreferences”         $body = ConvertTo-Json -InputObject @{‘userPreferredMethodForSecondaryAuthentication’ = ‘sms’}         Invoke-MgGraphRequest -Method Patch -Uri $url -Body $body -ErrorAction Stop     } catch {         Write-Output “Add Phone $PhoneNumber”         New-MgUserAuthenticationPhoneMethod -UserId $UserId -PhoneNumber $PhoneNumber         Start-Sleep 5         Invoke-MgGraphRequest -Method Patch -Uri $url -Body $body     } }

Connect-MgGraph -TenantId $TenantId -Scopes “UserAuthenticationMethod.ReadWrite”,“Directory.ReadWrite.All”,“Group.ReadWrite.All”,“GroupMember.ReadWrite.All”,“User.ReadWrite.All”,“UserAuthenticationMethod.ReadWrite.All” $GroupMembers = Get-MgGroupMemberAsUser -GroupId $GroupID $CSV = Import-Csv -Path $CSVPath $output = @() foreach ($csvUser in $CSV) {     if($($csvUser.UPN) -notin $($GroupMembers.UserPrincipalName)){         try {             $MGUser = Get-MgUser -UserId $($csvUser.UPN)             Set-SMSasDefaultAuthentication -UserId $($MGUser.Id) -PhoneNumber $($csvUser.Phone)             $script:UserTempPass = $null             Reset-UserSecurityInfo -User $MGUser -PhoneNumber $($csvUser.Phone) -ErrorAction Stop             New-MgGroupMember -GroupId $GroupID -DirectoryObjectId $($MGUser.Id)             $output += @{                 UPN = $($csvUser.UPN);                 TempPass = $script:UserTempPass             }         }         catch {             Write-Output “Failed to Reset User Security Information. Error: $($.Exception.Message)”             return         }     } else {         Write-Output ”$($csvUser.UPN) In Group no change has been made”     } } $d = Get-Date $d=$d.ToString(‘yyyy-MM-dd-HHmmss’) #ConvertTo-PsObject -Value $output | Export-Csv -NoTypeInformation -Path “$HOME\Desktop\UsersTempPassword$d.csv” #Write-Output “Exporting password file to $HOME\Desktop\UsersTempPassword_$d.csv”