Updates to managing user authentication methods

Howdy folks!

I'm excited to share today some super cool new features for managing users' authentication methods: a new experience for admins to manage users' methods in Azure Portal, and a set of new APIs for managing FIDO2 security keys, Passwordless sign-in with the Microsoft app, and more.

Michael McLaughlin, one of our Identity team program managers, is back with a new guest blog post with information about the new UX and APIs. If your organization uses Connect to synchronize user phone numbers, this post contains important updates for you.

As always, we'd love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure Active Directory () feedback forum.

Best Regards,

Alex Simons (Twitter: Alex_A_Simons)

Corporate Vice President Program Management

Microsoft Identity Division


Hi everyone!

In April I told you about APIs for managing authentication phone numbers and passwords, and promised you more was coming. Here's what we've been doing since then!

New User Authentication Methods UX

First, we have a new user experience in the portal for managing users' authentication methods. You can add, edit, and delete users' authentication phone numbers and email addresses in this delightful experience, and, as we release new authentication methods over the coming months, they'll all show up in this interface to be managed in one place. Even better, this new experience is built entirely on Microsoft Graph APIs so you can script all your authentication method management scenarios.


Updates to Authentication Phone Numbers

As part of our ongoing usability and security enhancements, we've also taken this opportunity to simplify how we handle phone numbers in Azure AD. Users now have two distinct sets of numbers:

  • Public numbers, which are managed in the user profile and never used for authentication.
  • Authentication numbers, which are managed in the new authentication methods blade and always kept private.

This new experience is now fully enabled for all cloud-only tenants and will be rolled out to Directory-synced tenants by May 1, 2021.

Importantly for Directory-synced tenants, this change will impact which phone numbers are used for authentication. Admins currently prepopulating users' public numbers for will need to update authentication numbers directly. Read about manage updates to your users' authentication numbers here.

New Microsoft Graph APIs

In addition to all the above, we've released several new APIs to beta in Microsoft Graph! Using the authentication method APIs, you can now:

  • Read and remove a user's FIDO2 security keys
  • Read and remove a user's Passwordless Phone Sign-In capability with Microsoft
  • Read, add, update, and remove a user's email address used for Self-Service Password Reset

We've also added new APIs to manage your authentication method policies for FIDO2 and Passwordless Microsoft Authenticator.

Here's an example of calling GET all methods on a user with a FIDO2 security key:


GET https://graph.microsoft.com/beta/users/{{username}}/authentication/methods




We're continuing to invest in the authentication methods APIs, and we encourage you to use them via Microsoft Graph or the Microsoft Graph PowerShell module for your authentication method sync and pre-registration needs. As we add more authentication methods to the APIs, you'll be easily able to include those in your too!

We have several more exciting additions and changes coming over the next few months, so stay tuned!

All the best,

Michael McLaughlin

Program Manager

Microsoft Identity Division

What I am looking forward for a long time is a dark mode for the Microsoft Authenticator app. Will this feature be added soon? 

Great news.

The link to the graph PowerShell module is off. I think it should point to https://www.powershellgallery.com/packages/Microsoft.Graph/1.1.0

I also assume that the same changes will effect prepopulating SSPR methods through AADConnect as well: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata…

The text mentions that “as [you] release new authentication methods over the coming months, they'll all show up in this interface to be managed in one place.” Currently, the authenticator app notification/code does not show up in this interface even if a user has it registered, although it is available in the Graph API. Will that be changing soon?

Good work guys! More APIs to manage authentication – always good news 🙂

Hi and great update! However, where did you move “Allow self-service set up”? 


@Budak87 – we know there's great demand for dark mode (I use it myself!), but we don't have timeline for that we can share right now, sorry.

@Fabian Bader – great catch, we'll get it fixed up.

@Ryan Morash – that's correct, SSPR too.

@fuscob – yes, we're making a change to the Authenticator app API in beta, and once that's done we'll plug it into the UX too.

@cblackuk – thanks for the kind words!

@Michael_Berntsen – we're working on re-adding that now, you should see it show up again soon.

@Michael McLaughlin do you know when the UserAuthenticationMethod.ReadWrite.All application permissions will be leaving private preview? This will make life a lot easier when this can be automated.

@Michael McLaughlin 

I've rebuilt our that pre-registered users' authentication methods as Azure Functions. Do you have any updates on when these permissions will be leaving private preview for applications? Or could I please join the private preview? Looking forward to testing this out

Hey @nathannorris – no date I can share, but I can say it won't be until after the new year. I know the waiting is tough, this is a hugely demanded feature! It'll be worth it.

This is a good feature but why is it in the official documentation if it's only available in private preview?? I have need to administratively remove MS authenticator from several accounts that have 5 registrations already, so am I SOL until it's out of preview?


This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.