Feedback by UserVoice

Thomas Cannervall

My feedback

  1. 4,195 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    180 comments  ·  Office 365 Admin  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Thomas Cannervall commented  · 

    You can use Privilieged Authentication Administrator Role to reset mfa. You can ofcourse use this with PIM or whatever.

    Yesterday I set-up a reset flow with Automation Accounts (Azure Automate) -> power automate -> power app to handle reset of MFA by support agents.

    I created a service account with Priviliged Authentication Admin role, imported msol module in the automation account and created a pretty basic ps runbook

    Param (
    [Parameter (Mandatory= $true, HelpMessage = "Email of the user to reset MFA for")]
    [String]$UserEmail,
    [parameter(Mandatory = $true, HelpMessage = "Email of the support agent")]
    [string]$AuthUser
    )
    $ErrorActionPreference = 'Stop'
    Try {
    $creds = Get-AutomationPSCredential -Name '<redacted>'
    Connect-MsolService -Credential $creds
    Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $UserEmail
    Write-Output "MFA was reset for user $UserEmail. Support agent who triggered the reset was $AuthUser"
    }
    Catch {
    $ErrorMessage = $_.Exception.Message
    Write-Output "Reset MFA for user $UserEmail Failed. the error is: $ErrorMessage"
    }

    Had to give the support agents Automation Job Operator permissions on the Automation Account / Resource group and ofcourse access to app flow.

    Hope it helps someone

Feedback and Knowledge Base