1,368 votes273 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
We have released the Authentication administrator and Privileged authentication administrator roles that can manage the authentication methods of the user. If you are using Azure AD Premium, consider enforcing MFA on the user using Conditional Access. We are continuing to work on other roles that will let you manage other MFA settings.
An error occurred while saving the commentThomas Cannervall commented
Did something similar to Claudia Wilson
You can use Privilieged Authentication Administrator Role to reset mfa. You can ofcourse use this with PIM or whatever.
Yesterday I set-up a reset flow with Automation Accounts (Azure Automate) -> power automate -> power app to handle reset of MFA by support agents.
I created a service account with Priviliged Authentication Admin role, imported msol module in the automation account and created a pretty basic ps runbook
[Parameter (Mandatory= $true, HelpMessage = "Email of the user to reset MFA for")]
[parameter(Mandatory = $true, HelpMessage = "Email of the support agent")]
$ErrorActionPreference = 'Stop'
$creds = Get-AutomationPSCredential -Name '<redacted>'
Connect-MsolService -Credential $creds
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $UserEmail
Write-Output "MFA was reset for user $UserEmail. Support agent who triggered the reset was $AuthUser"
$ErrorMessage = $_.Exception.Message
Write-Output "Reset MFA for user $UserEmail Failed. the error is: $ErrorMessage"
Had to give the support agents Automation Job Operator permissions on the Automation Account / Resource group and ofcourse access to app flow.
Hope it helps someone