Managing authentication methods in Microsoft 365

Overview

NOTE: Before you start managing authentication methods, verify they are enabled and configured in your tenant: Authentication methods | Microsoft Entra admin center.

Cayosoft Administrator allows the delegated administrators to assign new and manage the existing authentication methods to Microsoft 365 users in your managed tenant. This article lists options to manage the authentication methods and supported actions for authentication methods.

Supported authentication methods

Cayosoft Administrator collects and manages the used authentication methods via the authenticationMethod Graph call. Refer to the following table for additional information on the supported authentication methods:

Authentication method	User-friendly name	Read	Edit	Write
emailAuthenticationMethod	Email	True	True	True
fido2AuthenticationMethod	FIDO2 security key	True	True	False
microsoftAuthenticatorAuthenticationMethod	Microsoft Authenticator, Passwordless Microsoft Authenticator	True	True	False
passwordAuthenticationMethod	Password	True	True	False
phone	Phone number (voice call or text)	True	True	True
softwareOathAuthenticationMethod	Software OATH token	True	True	False
temporaryAccessPassAuthenticationMethod	Temporary Access Pass	True	True	True
windowsHelloForBusinessAuthenticationMethod	Windows Hello for Business	True	True	False
hardwareOathAuthenticationMethod	Hardware token	True	True	False

To learn more about assigning authentication methods to Microsoft 365 users in your tenant, refer to the following section: Assigning authentication methods.

Managing authentication methods

Use the following items to manage authentication methods:

• Authentication Methods web action

• Authentication Methods web action (Microsoft 365)

• AD Users | Suspend rule

• AD user Suspend (default configuration)

• Microsoft 365 User | Suspend rule

• Microsoft 365 User Suspend (default configuration)

• AD Users M365 Authentication Methods (MFA) Status rule

• Microsoft 365 Users Authentication Methods (MFA) Status rule

• Microsoft 365 Users | Delete Authentication Methods (re-register MFA) rule

• Text File User Authentication Methods (MFA) Status rule

• Text File | Delete Authentication Methods (re-register MFA) rule

Reviewing current authentication methods

Review the authentication methods set up for the user using the Authentication Methods web action in the Cayosoft Administrator Web Portal.

1. Assign the supported methods.
2. Edit the supported methods.
3. Remove the authentication methods.
4. Specify the MFA state for the user.
5. Specify the preferred MFA method for the user.

Assigning authentication methods

The Authentication Methods web action allows you to manage authentication methods in Microsoft 365 users. You can assign new methods and remove the existing methods; the web action covers three authentication methods:

• Phone number-based authentication method.

• Email OTP.

• Temporary Access Pass.

Refer to the following sections to learn more about the assignment workflow.

Phone number

Assign a phone number-based authentication method to receive a phone call or a text message with a verification code. Depending on the phone type, a corresponding authentication method is assigned:

• Mobile and alternate phones support both voice calls and text messages.

• Office phones can only receive voice calls.

Refer to the following steps to add a phone number-based authentication method in the Web Portal:

1. In the Cayosoft Administrator Web Portal, navigate to the Microsoft 365 > Users web query.

2. Highlight a user and click Authentication Methods.

3. Click Add method and select Mobile phone, Office phone, or Alternate mobile type.

4. Specify a phone number.

5. Click OK.

6. Click Update to save the changes.

Refer to the following article to learn more about the phone authentication options: Mobile phone verification | Microsoft Learn.

Email OTP

With the Email OTP (One-Time Password) method assigned, the user receives a code in the specified email inbox; the one-time password is then used to authenticate. For the tenant members, the Email OTP option is only used for Self-Service Password Recovery. You can also configure it as a primary sign-in option for the guest users in your tenant. Refer to the following steps to assign the Email OTP authentication method to a user in the Web Portal:

1. In the Cayosoft Administrator Web Portal, navigate to the Microsoft 365 > Users web query.

2. Highlight a user and click Authentication Methods.

3. Click Add method and select the Email type.

4. Specify the user email.

5. Click OK.

6. Click Update to save the changes.

Refer to the following article to learn more about the Email OTP option: One-time passcode authentication for B2B guest users | Microsoft Learn.

Temporary Access Pass

A Temporary Access Pass is a time-limited passcode that can be configured for single use or multiple sign-ins. Users can use a Temporary Access Pass to enroll other authentication methods including passwordless methods (e.g., Microsoft Authenticator, FIDO2). Refer to the following steps to assign a Temporary Access Path to a user in the Web Portal:

1. In the Cayosoft Administrator Web Portal, navigate to the Microsoft 365 > Users web query.

2. Highlight a user and click Authentication Methods.

3. Click the Temporary Access Pass button.

4. Specify the Activation duration: enter a value ranging from 60 to 480 minutes.

5. Specify if it is a one-time use pass.

6. Specify if it is a delayed start time pass.

   1. If it is a delayed start time pass, specify the Start date and Start time values to proceed.

7. Click OK.

8. Click Update to save the changes.

Refer to the following article to learn more about the Temporary Access Pass option: Configure Temporary Access Pass to register passwordless authentication methods | Microsoft Learn.

Unassigning authentication methods

NOTE: The Suspend configuration for the corresponding Suspend rule must be set up to manage authentication methods.

Revoke the existing authentication methods of users in your tenant using one of the following options:

• Authentication Methods web action

• Authentication Methods web action (Microsoft 365)

• AD Users | Suspend rule

• Microsoft 365 User | Suspend rule

• Microsoft 365 Users | Delete Authentication Methods (re-register MFA) rule

• Text File | Delete Authentication Methods (re-register MFA) rule

Refer to the following steps to revoke authentication methods in bulk via Web Portal using the Authentication Methods web action for the Microsoft 365 users:

1. In the Cayosoft Administrator Web Portal, navigate to the Microsoft 365 > Users web query.

2. Highlight two or more users and click Authentication Methods.

3. In the pop-up window, select the Remove all registered MFA methods and require users to add new sign-in methods checkbox and click Update.

Alternatively, review the following example covering the authentication method management using the Microsoft 365 Users | Delete Authentication Methods (re-register MFA) rule.

1. In the Cayosoft Administrator Console, create the Microsoft 365 Users | Delete Authentication Methods (re-register MFA) rule with the wizard.

2. Optional: Limit the query scope to a single administrative unit in the Query section.

3. Optional: In the User account properties section, set up filters to limit the scope of target users.

4. Optional: In the Organizational properties section, introduce properties to further limit the scope of target users.

5. In the Action section, define the deleted authentication methods and forced sign-out settings.

6. In the Output section, alter the default settings to setup a report.

7. Run the rule. Once it completes, review the execution history to verify it has been executed successfully.

8. Review the report. Navigate to Home > Reports, and locate the latest report for the rule.

For additional information, refer to the following article: Microsoft 365 Users | Delete Authentication Methods (re-register MFA) rule.