Rule description
This rule queries the list of users specified in a text file and for each user deletes existing registered authentication methods.
When to use this rule
Use this rule when you need to delete authentication methods for users that are specified in the CSV file.
This rule requires a source text file in the comma-separated variable format (CSV). You can use the template CSV files provided with the rule, or create a file in Microsoft Excel and export it as CSV.
To use a template CSV file:
- In the Query section, click the [...] button next to the Select Data Source setting.
-
Open Templates folder.
- Depending on the Account source system, select Enforce Office 365 License (Hybrid) or Enforce Office 365 License (Microsoft 365) CSV file.
- Click Open.
The Query's source text file requires the following CSV (comma-separated value) format:
Hybrid users:
UserPrincipalName,DistinguishedName,SamAccountName,ObjectGuid
Joe.Smith@domain.com,"CN=Joe Smith,OU=IT,DC=domain,DC=com",jsmith,dd16cabd-b1a6-4fc4-b5b6-d86d8d8fca9e
Kelly.Jones@domain.com,"CN=Kelly Jones,OU=IT,DC=domain,DC=com",kjones,84da7c1e-69f8-48d9-afae-cc61bbf85be2
Microsoft 365 users:
UserPrincipalName,ObjectGuid
Joe.Smith@domain.com,dd16cabd-b1a6-4fc4-b5b6-d86d8d8fca9e
Kelly.Jones@domain.com,84da7c1e-69f8-48d9-afae-cc61bbf85be2
Rule Settings
Query Section
| Setting name | Description |
|---|---|
|
Select data source |
Specifies the text file to be imported. The […] button allows the user to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor. If you need to enforce licenses to hybrid users use Enforce Office 365 License (Hybrid) - Template.csv. If you need to enforce licenses to Microsoft 365 users use Enforce Office 365 License (Microsoft 365) - Template.csv. |
|
Data source anchor attribute |
Select a column in the data source that contains the attribute value for identifying and mapping a user like UserPrincipalName. |
|
Account source system |
Select the source system of the accounts listed in the CSV file: Hybrid or Microsoft 365. |
|
User anchor attribute |
Automap searches for a user using the standard identity attribute DistinduishedName, UserPrincipalName, and ObjectGUID. Select a custom attribute if your users are identified by a different attribute. Note: Microsoft best practices assume the Active Directory and Office 365/Azure AD UPNs will match. |
|
More Options |
|
|
Filter CSV data |
This setting specifies the filter that can remove data rows from the imported text file that satisfies the specific condition. |
|
Properties to display |
To display additional properties for each object found by the query, add those properties to the list. |
|
Filter Office 365 users |
To hide unwanted data set the filtering conditions here. |
|
Initialization script |
|
|
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action Section
| Setting name | Description |
|---|---|
| Delete authentication methods |
Specify which authentication methods should be deleted. Note: Deleting all methods will require the user to re-register an MFA sign-in method.
|
| Sign-out of MS 365 sessions | Specify if signing a user out of all Microsoft 365 sessions.
|
Output Section
This section defines the output format of this rule.
Please see the Output section article to get more information about this section.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
| Version | Notes |
|---|---|
| 10.1.0 | The rule has been introduced in the product. |
Comments
0 comments
Please sign in to leave a comment.