Resetting SMS MFA with Entra External ID
I have set up a user with email/password and I use conditional access to set up MFA for the user.
The user's choice for MFA is to send an OTP to either their email address or phone.
What happens when the user loses their phone or buys a new one? You can do this by resetting the MFA for SMS and allowing the user to proof up again.
You can’t reset the email because that is the user’s identity.
When the user has proofed up for the first time and then logs in, they see this screen.
The user now verifies their SMS.
If we look at the user details under “Authentication methods”, we see that the user has SMS set.
Note that you can change the phone option to SMS or voice call.
Now, if the user loses their phone or buys a new one, they need to reset their MFA.
To do this, use the “Require re-register MFA” tab.
This brings up this screen:
Click “OK”.
Now the “Authentication methods” screen shows:
and you can see that the SMS option has been removed.
When the user next logs in, they will be asked to proof up again, and then they can use their new phone.
Note that if you click the “Use a different verification option” after the user has proofed up, you see:
and you can use either option.
All good!