There are many users voice requests and also questions in different forums ,asking for ‘How to reset MFA’ ‘how to delete permissions for managing MFA’ ‘allow service desk to reset MFA ’ . Until today ,if user want to reconfigure their MFA for several reasons ,service desk or user will reach out to Global admin who can only reset the MFA for user.
Since the Global administrator accounts are very limited (recommended not to have more than 2-3) per tenant ,it would be difficult for GA’s to be available all the time to reset MFA for end-users.
Until today ,organizations found different ways to to delegate permissions to service desk with help of PowerShell scripts and others to reset MFA for users but now ,we don't need any custom solution.
Microsoft has introduced new role called ‘Privileged Authentication Administrator’ : Users with this role can set or reset non-password credentials for all users, including global administrators.
Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next login of all users. Privileged Authentication Administrators can:
Force users to re-register against existing non-password credential (e.g. MFA, FIDO)
Revoke ‘remember MFA on the device’, prompting for MFA on the next login
In this blog post ,we will see, how to assign permissions for managing MFA in Azure Active Directory and how service desk can reset MFA for users?
How to assign permissions ?
Login to Azure Portal using Global Administrator account https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
Click on Azure Active Directory ,click on and Roles and administrators
On the right side you will see “Privileged authentication administrator “: Allowed to view, set and reset authentication method information for any user (admin or non-admin).
Following are the permissions that users get when you assign this role.
Role permissions |
Description |
microsoft.aad.directory/users/invalidateAllRefreshTokens | Invalidate all user refresh tokens in Azure Active Directory. |
microsoft.aad.directory/users/strongAuthentication/update | Update users.strongAuthentication property in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Office 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Click on Add
You can only add individual users to this role but not AD security groups. So if you have many users ,you can either script it or add one by one.
Once the permissions are added, you will see the list of users . The permissions will be effective immediately to perform tasks.
With this ,we have completed assigning the permissions to reset MFA for users .
How does service desk or users can reset MFA ?
Service desk users can to go https://portal.azure.com or https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
Click on all users ,enter the user name or email address
Click on the user account
Click on authentication methods on the left side
You will see 2 options here
Require MFA re-registration :Require this user to go through the MFA registration process again. This will not delete existing authentication methods but will require a user to validate them.
Revoke MFA sessions: Clear this user's remembered MFA sessions and require this user to perform MFA the next time it's required by policy on this device.
If you want to reset MFA for user ,click on re-registration ,you will see the operation complete on the top right corner.
With the permissions assignment ,it is also possible to find who reset the MFA for specific user:
How to find out who reset MFA for specific user ?
From Azure Active Directory ,all users ,search for user and click on Audit logs:
Under audit logs ,it list all activities that are initiated by user.
For MFA reset ,the activity name is Update user with category UserManagement and intiated by eswar koneti .This is the user who reset the MFA for the target user based on the permissions that we provided above.
If you want to revoke the MFA sessions ,choose the other option .
This is great option to route all MFA reset options to service desk .
List of available roles can be found from https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles