Rule description
This rule queries the specified Microsoft 365/Azure AD scope and for each user deletes existing registered authentication methods.
When to use this rule
Use this rule when you need to delete authentication methods for Microsoft 365 users.
Rule Settings
Query Section
Setting name | Description |
---|---|
General Settings | |
Limit scope to this Azure AD Administrative Unit |
This setting defines the search query scope. To improve query performance, limit the scope to a specific Azure Admin Unit. Important: To test rule configuration, limit the rule scope to an Azure Admin Unit that contains test accounts or objects.
|
Query criteria
|
Query criteria are sent with the query and may improve query performance. Tip: For different samples on the criteria builder, see KB20180410-1.
|
Post-query filter
|
To hide unwanted data based on criteria, not supported by the Microsoft 365 query criteria above, set the filtering conditions here. Tip: For optimal performance, use the Query criteria above to filter objects whenever possible.
|
User account properties |
|
Account state |
Specify account state:
|
User type |
Specify user type:
|
Account sync status |
Specify account sync status:
|
Modern MFA status |
Specify modern MFA status:
|
Administrator role |
Specify administrator role:
|
Date time properties |
|
Minimum account age (hours) |
Specify the minimum account age for the Microsoft 365 user accounts. |
Maximum account age (hours) |
Specify the minimum account age for the Microsoft 365 user accounts. |
Last Microsoft 365 sign in (days ago) |
Set a minimum number of days past since a user signs in to Microsoft 365. Use 0 to disable this check. Note: Using this parameter requires an Azure AD Premium P1/P2 license in the tenant.
|
Last password change (days ago) |
Set a minimum number of days past since a user changed the password. |
Last sync time (days ago) |
Set a minimum number of days past since the last sync time. |
Extension Attributes |
|
Extension attribute1 - Extension attrbute15 |
If you use Microsoft 365 extension attributes to store additional information for user accounts, you could select these attributes and map them to Other Attributes. To set labels or default values for these attributes, please use Attribute Policies. |
Mailbox and Licensing filters |
|
Mailbox type |
Specify mailbox type:
|
Include licensed users |
Specify which users should be included:
|
Filter by licenses |
You can filter users by assigned licenses and apps/services:
Also, you can add filtering by inheritance of assigned applications and services:
|
Organization Properties |
|
DisplayName/Email starts with EmployeeID starts with Employee type Job Title Division Cost center Department City State Country Postal code Usage location |
Specify organization properties for search. |
Map to text file |
|
Select data source |
Specifies the text file to be imported. The […] button allows the user to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor. |
Separator used in file |
Specify the separator that is used in the CSV file. |
Data source anchor attribute |
Select a column in the data source that contains the attribute value for identifying and mapping a user. |
System anchor attribute |
Specify user anchor attribute. |
Other Query Settings |
|
System properties |
List of properties required for this rule to be executed correctly. |
Sort by |
Sort result objects list. |
Limit result set |
The maximum number of users returned from Microsoft 365 by default is 2000. Tip: It is possible to change the default value in Microsoft Microsoft 365 extension settings.
|
MS Graph query condition (OData) |
By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting. See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings – Cayosoft Help Center. |
MS Graph advanced queries |
Enables consistency level eventually which uses an index that might not be up-to-date with recent changes to the object. |
Initialization script |
|
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action Section
Setting name | Description |
---|---|
Delete authentication methods |
Specify which authentication methods should be deleted. Note: Deleting all methods will require the user to re-register an MFA sign-in method.
|
Sign-out of MS 365 sessions | Specify if signing a user out of all Microsoft 365 sessions.
|
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
10.1.0 | The rule has been added to the product. |
Comments
0 comments
Please sign in to leave a comment.