0 votes

We utilize Azure AD as well as Azure MFA for our VPN and we have instances where the MFA needs to be reset (essentially revoked then require to re-register). This link shows basically what we need to do.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings

Currently only our sysadmins can do this, but we would like to extend this to our Helpdesk techs which unfortunately requires giving full access to Azure AD. We would like to leverage Adaxes for this, but not sure if it is possible or how it would be done.

by (130 points)

1 Answer

0 votes
by (216k points)

Hello,

It can be done using the Reset MFA script from the following article in our repository: https://www.adaxes.com/script-repository/enabledisable-multi-factor-authentication-for-a-user-in-office-365-s544.htm.

0

Thank you. Do we need to modify this script in any way or customize for our company? I am assuming it pulls the credentials from the service account automatically to access 0365 and "adm-O365ObjectId" will grab the username automatically?

0

Hello,

You are right, there is no need to modify the script.

0

Apologies for all the additional questions, do I need to register the 0365 Tenant for this or do I just need to install the Microsoft Azure Active Directory Module.

Was looking at this documentation and it looks to be way more than we need for what we are trying to do.

https://www.adaxes.com/tutorials_ActiveDirectoryManagement_ManageAndAutomateOffice365.htm#automation

0

Hello,

Apologies for all the additional questions, do I need to register the 0365 Tenant for this or do I just need to install the Microsoft Azure Active Directory Module.

The Office 365 tenant should be registered in Adaxes and associated with the users the Custom Command is supposed to be executed on.

Was looking at this documentation and it looks to be way more than we need for what we are trying to do.

Unfortunately, the approach described in the tutorial cannot be used for managing Office 365 MFA. Currently, in Adaxes it can be done only using PowerShell scripts. If you need to delegate permissions to execute specific scripts, the scripts should be specified in Custom Commands and the delegates should have permissions to execute the commands. For information on how to delegate the permissions, please, have a look at the following tutorial: https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToExecuteCustomCommands.htm.

0

So the tenant does need to be registered, but how it is done is different from the online documentation? What would be the procedure for my purposes?

0

Hello,

The tenant needs to be registered as described in the Manage and Automate Office 365 tutorial. The data specified during tenants registration is used by Adaxes for interaction with Office 365. The scripts from the Manage multi-factor authentication for a user in Office 365 page use the same data.

To manage MFA via Adaxes, you will need to register your tenant in Adaxes, install Microsoft Azure Active Directory Module on the computers where Adaxes service runs, add the scripts from our repository to the relevant Custom Commands, grant permissions to execute the commands over the necessary users.

0

Where did the mfa reset script go? It's not in the repository anymore. Is there another way to reset Azure MFA for users?

0

Hello,

Where did the mfa reset script go? It's not in the repository anymore.

The script was removed due to the changes in the API made by Microsoft.

Is there another way to reset Azure MFA for users?

The only option is to use a script. Unfortunately, we do not have all the examples as there is no full documentation provided by Microsoft. We can only state that is should be done via MgGraph. The folowing example should be helpful: https://www.adaxes.com/script-repository/enable-mfa-with-phone-number-for-a-user-in-microsoft-365-s686.htm.

0

I have this script for MFA Reset and seems to work for me at least, if Support could verify. Needs Microsoft Graph installed like M365 Signout script (https://www.adaxes.com/script-repository/sign-out-from-all-microsoft-365-services-s597.htm)

$azureId = $Context.TargetObject.AzureID

if ($NULL -eq $azureId) {
    $Context.LogMessage("User %fullname% does not have an Azure AD account.", "Warning")
    return
}

$accessToken = $Context.CloudServices.GetAzureAuthAccessToken()
Connect-MgGraph -AccessToken ($accessToken | ConvertTo-SecureString -AsPlainText -Force)

#Search for Authenticator App methods and remove any found
$App = Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $azureId
if ($App) {
    $App | ForEach-Object {
        Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $azureId -MicrosoftAuthenticatorAuthenticationMethodId $_.Id
        $Context.LogMessage("Authenticator App '$(($_.DisplayName))' removed for user $azureId.", "Information")
    }
} else {
    $Context.LogMessage("No Authenticator App methods found for user $azureId.", "Information")
}

#Search for Email methods and remove any found
$Email = Get-MgUserAuthenticationEmailMethod -UserId $azureId
if ($Email) {
    $Email | ForEach-Object {
        Remove-MgUserAuthenticationEmailMethod -UserId $azureId -EmailAuthenticationMethodId $_.Id
        $Context.LogMessage("Email address '$(($_.EmailAddress))' removed for user $azureId.", "Information")
    }
} else {
    $Context.LogMessage("No Email methods found for user $azureId.", "Information")
}

#Search for Phone methods and remove any found
$Phone = Get-MgUserAuthenticationPhoneMethod -UserId $azureId
if ($Phone) {
    $Phone | ForEach-Object {
        Remove-MgUserAuthenticationPhoneMethod -UserId $azureId -PhoneAuthenticationMethodId $_.Id
        $Context.LogMessage("Phone number '$(($_.PhoneNumber))' removed for user $azureId.", "Information")
    }
} else {
    $Context.LogMessage("No Phone/Text methods found for user $azureId.", "Information")
}
0

Hello,

Unfortunately, we are not able to actually verify the script due to the lack of documentation from Microsoft after bringing the functionality to Microsoft graph instead of MSOnline. However, if you see it working, then it should be just fine.

Related questions

0 votes
1 answer

Hi When reading the REST API documentation it does not mention working directly against Azure AD and Exchange Online. Will this be added? Thanks /Peter Sonander

asked Jan 26, 2023 by Sonander (40 points)
0 votes
1 answer

We are looking to use Adaxes to create and manage Managed Service Accounts in the "Managed Service Accounts" OU. Is this possible through Adaxes? Thank you.

asked Nov 14, 2019 by lgibbens (320 points)
0 votes
1 answer

We are trying to extend our Adaxes management to O365 / Azure only user objects. Currently we use employee type to add traditional active directory accounts to business units and ... so, can this be used to create dynamic mail enabled security groups in O365?

asked May 3, 2022 by adaxes_user2 (40 points)
0 votes
1 answer

we've migrated over to Application ID authentication...can this be updated to utilize this instead?

asked Oct 21, 2021 by jlaquatra (20 points)
0 votes
1 answer

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in? I have set up a domain for testing adaxes and it ... I have set my host file to point the untrusted domain to it's primary Domain Controller.

asked Oct 5, 2022 by mightycabal (1.0k points)
3,552 questions
3,242 answers
8,243 comments
547,828 users