When a user with MFA enabled loses his mobile phone then he wouldn’t be able to login to new devices or in the old devices where the token life time have expired.
Currently in this scenario the user have to report to help desk team. Unfortunately only the global admins can perform the force reset of MFA account for the user to reset his Strongauthenticationmethods value to null to clear the old lost device.
There is a work around which can be used until we get a delegated RBAC role for performing this action. With Azure Automation account, creating a flow, integrating with flow and delegating this action to helpdesk admins will reduce the load on global admins performing this action.
- Create New Automation Accounts from azure portal. Azure subscription required.They provide 500 minutes free every month.
- Create new Work Flow from global admin account.This action needs to be performed from global admin account.
- Enter the Global admin Credentials in the created automation account. Very Important that this account used to execute must not have MFA enabled.
- Import the MSOnline module from the gallery.
Create Azure Automation Account –
Proceed to https://portal.azure.com – Create automation account.
Now add the msonline module-
Add Exchange Online Module – Access Azure Automation account and click Assets > Modules- Add MSOnline Module.
We can see the MSOnline modules are imported successfully.
Enter Global Admin Credentials in the Created Automation account –
Click on Automation accounts – Credentials – Enter Global Admin Credentials. Add scripts(below scripts)
This is the global admin credentials required which will execute the automation when we trigger the work flow from a delegated helpdesk admin account.
Now add the script which is required to execute this operation.
[sourcecode language="Powershell"] Param ( [Parameter (Mandatory= $false)] [String] $UserEmail = "" ) $creds = Get-AutomationPSCredential -Name 'TestDemo’ Connect-MsolService -Credential $creds #This command resets the MFA Set-MSOLUser -UserPrincipalName $UserEmail -StrongAuthenticationMethods @() #This Command Resets the password with force login #Set-MsolUserPassword -UserPrincipalName $UserEmail -NewPassword "S@c@r!ooii" -ForceChangePassword $true [/sourcecode]
After adding above Publish the scripts.
Now we need to create the flow from the global admin account to execute this action.
Head over to Flow (https://flow.microsoft.com ) and provision a new personal Flow. Click new flow – Click Create from Blank.
Choose – Flow Button for Mobile , Flow Button for Mobile – manually trigger a Flow , Select AA- Type useremail as input flow.
Navigate to triggers – Select Manually trigger a flow.
Type UserEmail as input flow-Click on New Step – Add an Action
Click on Choose an action – Select Azure Automation – Create a Job – Provide the required credentials and subscription details.
Provide the required credentials and subscription details.
This part is very important we need to select the input as UserEmail as below. This parameter is required for the run book to execute the operation.After that we can see that the RunBook Parameter is UserEmail.
Now we will see the flow is connected to Azure automation account
Now Navigate to My Flows- Select the new flow – Click on – Run Now
We can see the flow will be successfully started and execute the requested operation of resetting the MFA value to null for the user.
We can run them on automation accounts and see them for verification and they will be successful.
From the global admin Flow login – Delegate this flow to helpdesk admins as manage run only user permission.
The actual operation is executed by the global admin account however the helpdesk team will be triggering this action through the delegated run only permissions assigned to them in created Microsoft flow.
Thanks & Regards