Adaxes

Can Azure MFA be managed through Adaxes

0 votes

We utilize Azure AD as well as Azure MFA for our VPN and we have instances where the MFA needs to be reset (essentially revoked then require to re-register). This link shows basically what we need to do.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings

Currently only our sysadmins can do this, but we would like to extend this to our Helpdesk techs which unfortunately requires giving full access to Azure AD. We would like to leverage Adaxes for this, but not sure if it is possible or how it would be done.

by (130 points)

1 Answer

0 votes
by (216k points)

Hello,

It can be done using the Reset MFA script from the following article in our repository: https://www.adaxes.com/script-repository/enabledisable-multi-factor-authentication-for-a-user-in-office-365-s544.htm.

Show 6 previous comments
0

Where did the mfa reset script go? It's not in the repository anymore. Is there another way to reset Azure MFA for users?

by (0 points)
0

Hello,

Where did the mfa reset script go? It's not in the repository anymore.

The script was removed due to the changes in the API made by Microsoft.

Is there another way to reset Azure MFA for users?

The only option is to use a script. Unfortunately, we do not have all the examples as there is no full documentation provided by Microsoft. We can only state that is should be done via MgGraph. The folowing example should be helpful: https://www.adaxes.com/script-repository/enable-mfa-with-phone-number-for-a-user-in-microsoft-365-s686.htm.

by (300k points)
0

I have this script for MFA Reset and seems to work for me at least, if Support could verify. Needs Microsoft Graph installed like M365 Signout script (https://www.adaxes.com/script-repository/sign-out-from-all-microsoft-365-services-s597.htm)

$azureId = $Context.TargetObject.AzureID

if ($NULL -eq $azureId) {
    $Context.LogMessage("User %fullname% does not have an Azure AD account.", "Warning")
    return
}

$accessToken = $Context.CloudServices.GetAzureAuthAccessToken()
Connect-MgGraph -AccessToken ($accessToken | ConvertTo-SecureString -AsPlainText -Force)

#Search for Authenticator App methods and remove any found
$App = Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $azureId
if ($App) {
    $App | ForEach-Object {
        Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $azureId -MicrosoftAuthenticatorAuthenticationMethodId $_.Id
        $Context.LogMessage("Authenticator App '$(($_.DisplayName))' removed for user $azureId.", "Information")
    }
} else {
    $Context.LogMessage("No Authenticator App methods found for user $azureId.", "Information")
}

#Search for Email methods and remove any found
$Email = Get-MgUserAuthenticationEmailMethod -UserId $azureId
if ($Email) {
    $Email | ForEach-Object {
        Remove-MgUserAuthenticationEmailMethod -UserId $azureId -EmailAuthenticationMethodId $_.Id
        $Context.LogMessage("Email address '$(($_.EmailAddress))' removed for user $azureId.", "Information")
    }
} else {
    $Context.LogMessage("No Email methods found for user $azureId.", "Information")
}

#Search for Phone methods and remove any found
$Phone = Get-MgUserAuthenticationPhoneMethod -UserId $azureId
if ($Phone) {
    $Phone | ForEach-Object {
        Remove-MgUserAuthenticationPhoneMethod -UserId $azureId -PhoneAuthenticationMethodId $_.Id
        $Context.LogMessage("Phone number '$(($_.PhoneNumber))' removed for user $azureId.", "Information")
    }
} else {
    $Context.LogMessage("No Phone/Text methods found for user $azureId.", "Information")
}
by (0 points)
0

Hello,

Unfortunately, we are not able to actually verify the script due to the lack of documentation from Microsoft after bringing the functionality to Microsoft graph instead of MSOnline. However, if you see it working, then it should be just fine.

by (300k points)
0

Thank you for this, pbug! I've tested your script and it works, I adapted it to my own needs to also include Software OATH token methods. Only issue that I found that if one of the users authentication methods is set to their default method, and there are other methods present then it won't remove them.

by (320 points)

Related questions

0 votes
1 answer
Will it be possible to create a cloud only user through the REST AI with the new Azure AD integration in version 2023?

Hi When reading the REST API documentation it does not mention working directly against Azure AD and Exchange Online. Will this be added? Thanks /Peter Sonander

asked Jan 26, 2023 by Sonander (40 points)
0 votes
1 answer
Is it possible to create/manage Managed Service Accounts through Adaxes?

We are looking to use Adaxes to create and manage Managed Service Accounts in the "Managed Service Accounts" OU. Is this possible through Adaxes? Thank you.

asked Nov 14, 2019 by lgibbens (320 points)
0 votes
1 answer
Can Azure/O365 only accounts be added to groups / business units based on attributes?

We are trying to extend our Adaxes management to O365 / Azure only user objects. Currently we use employee type to add traditional active directory accounts to business units and ... so, can this be used to create dynamic mail enabled security groups in O365?

asked May 3, 2022 by adaxes_user2 (40 points)
0 votes
1 answer
can this be updated to included authentication to Exchange/Azure with application vs credential?

we've migrated over to Application ID authentication...can this be updated to utilize this instead?

asked Oct 21, 2021 by jlaquatra (20 points)
0 votes
1 answer
In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in?

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in? I have set up a domain for testing adaxes and it ... I have set my host file to point the untrusted domain to it's primary Domain Controller.

asked Oct 5, 2022 by mightycabal (1.1k points)
3,668 questions
3,353 answers
8,468 comments
549,179 users