To follow this guide you will need:
The correct role: the Authentication Administrator role is needed to perform these steps for most users or the Privileged Authentication Administrator for all users, including admins. Higher privilege roles, such as Global Administrator, can also perform these actions.
If a user loses or breaks their Multi-Factor Authentication method, we need to mark their account as requiring re-registration of MFA.
First you should make sure the request is actually from the user it appears to be.
If the request to reset MFA is from an email (work or personal) or a phone call from someone you don’t know well enough to recognise their voice, you should first take a minute to check that the request is legitimate.
Do this by giving them a call or sending them a secure text message (e.g. Slack, Teams, Telegram, or Signal) using a number you got from the company directory or phonebook (or in a pinch from another colleague).
A simple: “Hi, this is IT - just double checking you requested an MFA reset” and confirmation from them will do the job.
Need more information? See our article on verifying user requests.
Go to the Users blade in the Azure Active Directory admin center. Select the target user.
From the side menu, select Authentication Methods:
Select Require re-register MFA:
Instruct the user to go to https://aka.ms/mfasetup to re-register for MFA.