This PowerShell script automates the removal of legacy software OATH authentication methods from users in Microsoft Entra ID (Azure AD) using the Microsoft Graph PowerShell SDK. See more here:
https://learn.microsoft.com/en-us/graph/api/softwareoathauthenticationmethod-delete?view=graph-rest-1.0&tabs=powershell https://learn.microsoft.com/en-us/graph/api/authentication-list-methods?view=graph-rest-1.0&tabs=powershell
- Prompts for dry-run mode to preview changes before applying them
- Logs all actions to a CSV file for auditing
- Implements retry logic for Microsoft Graph API throttling (HTTP 429)
- Uses delegated permissions with
Connect-MgGraph
- PowerShell 7+
- Microsoft Graph PowerShell SDK installed:
Install-Module Microsoft.Graph -Scope CurrentUser -Force
The script uses delegated permissions. The signed-in user must have one of the following roles:
- Authentication Administrator
- Privileged Authentication Administrator
The following Microsoft Graph delegated permissions must be granted:
- User.Read.All
- UserAuthenticationMethod.ReadWrite.All
- Open PowerShell as Administrator.
- Run the script using:
.\\Remove-GraphUserAuthMethods.ps1- When prompted, choose whether to run in dry-run mode.
An audit log is saved to audit_log.csv in the script directory. Each row includes:
- UserPrincipalName
- Action taken (or previewed)
- Method ID
- Status (Success, Failed, Preview)
| UserPrincipalName | Action | MethodId | Status |
|---|---|---|---|
| [email protected] | DryRun-RemoveMethod | a1 | Preview |
| [email protected] | RemoveMethod | a2 | Success |
- The script uses exponential backoff when encountering throttling (HTTP 429).
- You can filter users or extend the script to target specific groups or domains.