Thomas Cannervall

My feedback

  1. 1,368 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    We have released the Authentication administrator and Privileged authentication administrator roles that can manage the authentication methods of the user. If you are using Azure AD Premium, consider enforcing MFA on the user using Conditional Access. We are continuing to work on other roles that will let you manage other MFA settings.

    An error occurred while saving the comment
    Thomas Cannervall commented  · 

    Did something similar to Claudia Wilson
    You can use Privilieged Authentication Administrator Role to reset mfa. You can ofcourse use this with PIM or whatever.

    Yesterday I set-up a reset flow with Automation Accounts (Azure Automate) -> power automate -> power app to handle reset of MFA by support agents.

    I created a service account with Priviliged Authentication Admin role, imported msol module in the automation account and created a pretty basic ps runbook

    Param (
    [Parameter (Mandatory= $true, HelpMessage = "Email of the user to reset MFA for")]
    [String]$UserEmail,
    [parameter(Mandatory = $true, HelpMessage = "Email of the support agent")]
    [string]$AuthUser
    )
    $ErrorActionPreference = 'Stop'
    Try {
    $creds = Get-AutomationPSCredential -Name '<redacted>'
    Connect-MsolService -Credential $creds
    Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $UserEmail
    Write-Output "MFA was reset for user $UserEmail. Support agent who triggered the reset was $AuthUser"
    }
    Catch {
    $ErrorMessage = $_.Exception.Message
    Write-Output "Reset MFA for user $UserEmail Failed. the error is: $ErrorMessage"
    }

    Had to give the support agents Automation Job Operator permissions on the Automation Account / Resource group and ofcourse access to app flow.

    Hope it helps someone

Feedback and Knowledge Base