Can Azure MFA be managed through Adaxes

Question

We utilize Azure AD as well as Azure MFA for our VPN and we have instances where the MFA needs to be reset (essentially revoked then require to re-register). This link shows basically what we need to do.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings

Currently only our sysadmins can do this, but we would like to extend this to our Helpdesk techs which unfortunately requires giving full access to Azure AD. We would like to leverage Adaxes for this, but not sure if it is possible or how it would be done.

Answer 1

Hello,

It can be done using the Reset MFA script from the following article in our repository: https://www.adaxes.com/script-repository/enabledisable-multi-factor-authentication-for-a-user-in-office-365-s544.htm.

Comments

Thank you. Do we need to modify this script in any way or customize for our company? I am assuming it pulls the credentials from the service account automatically to access 0365 and "adm-O365ObjectId" will grab the username automatically?

---

Hello,

You are right, there is no need to modify the script.

---

Apologies for all the additional questions, do I need to register the 0365 Tenant for this or do I just need to install the Microsoft Azure Active Directory Module.

Was looking at this documentation and it looks to be way more than we need for what we are trying to do.

https://www.adaxes.com/tutorials_ActiveDirectoryManagement_ManageAndAutomateOffice365.htm#automation

---

Hello,

Apologies for all the additional questions, do I need to register the 0365 Tenant for this or do I just need to install the Microsoft Azure Active Directory Module.

The Office 365 tenant should be registered in Adaxes and associated with the users the Custom Command is supposed to be executed on.

Was looking at this documentation and it looks to be way more than we need for what we are trying to do.

Unfortunately, the approach described in the tutorial cannot be used for managing Office 365 MFA. Currently, in Adaxes it can be done only using PowerShell scripts. If you need to delegate permissions to execute specific scripts, the scripts should be specified in Custom Commands and the delegates should have permissions to execute the commands. For information on how to delegate the permissions, please, have a look at the following tutorial: https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToExecuteCustomCommands.htm.

---

So the tenant does need to be registered, but how it is done is different from the online documentation? What would be the procedure for my purposes?

---

Hello,

The tenant needs to be registered as described in the Manage and Automate Office 365 tutorial. The data specified during tenants registration is used by Adaxes for interaction with Office 365. The scripts from the Manage multi-factor authentication for a user in Office 365 page use the same data.

To manage MFA via Adaxes, you will need to register your tenant in Adaxes, install Microsoft Azure Active Directory Module on the computers where Adaxes service runs, add the scripts from our repository to the relevant Custom Commands, grant permissions to execute the commands over the necessary users.

---

Where did the mfa reset script go? It's not in the repository anymore. Is there another way to reset Azure MFA for users?

---

Hello,

Where did the mfa reset script go? It's not in the repository anymore.

The script was removed due to the changes in the API made by Microsoft.

Is there another way to reset Azure MFA for users?

The only option is to use a script. Unfortunately, we do not have all the examples as there is no full documentation provided by Microsoft. We can only state that is should be done via MgGraph. The folowing example should be helpful: https://www.adaxes.com/script-repository/enable-mfa-with-phone-number-for-a-user-in-microsoft-365-s686.htm.

---

I have this script for MFA Reset and seems to work for me at least, if Support could verify. Needs Microsoft Graph installed like M365 Signout script (https://www.adaxes.com/script-repository/sign-out-from-all-microsoft-365-services-s597.htm)

$azureId = $Context.TargetObject.AzureID

if ($NULL -eq $azureId) {
    $Context.LogMessage("User %fullname% does not have an Azure AD account.", "Warning")
    return
}

$accessToken = $Context.CloudServices.GetAzureAuthAccessToken()
Connect-MgGraph -AccessToken ($accessToken | ConvertTo-SecureString -AsPlainText -Force)

#Search for Authenticator App methods and remove any found
$App = Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $azureId
if ($App) {
    $App | ForEach-Object {
        Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $azureId -MicrosoftAuthenticatorAuthenticationMethodId $_.Id
        $Context.LogMessage("Authenticator App '$(($_.DisplayName))' removed for user $azureId.", "Information")
    }
} else {
    $Context.LogMessage("No Authenticator App methods found for user $azureId.", "Information")
}

#Search for Email methods and remove any found
$Email = Get-MgUserAuthenticationEmailMethod -UserId $azureId
if ($Email) {
    $Email | ForEach-Object {
        Remove-MgUserAuthenticationEmailMethod -UserId $azureId -EmailAuthenticationMethodId $_.Id
        $Context.LogMessage("Email address '$(($_.EmailAddress))' removed for user $azureId.", "Information")
    }
} else {
    $Context.LogMessage("No Email methods found for user $azureId.", "Information")
}

#Search for Phone methods and remove any found
$Phone = Get-MgUserAuthenticationPhoneMethod -UserId $azureId
if ($Phone) {
    $Phone | ForEach-Object {
        Remove-MgUserAuthenticationPhoneMethod -UserId $azureId -PhoneAuthenticationMethodId $_.Id
        $Context.LogMessage("Phone number '$(($_.PhoneNumber))' removed for user $azureId.", "Information")
    }
} else {
    $Context.LogMessage("No Phone/Text methods found for user $azureId.", "Information")
}

---

Hello,

Unfortunately, we are not able to actually verify the script due to the lack of documentation from Microsoft after bringing the functionality to Microsoft graph instead of MSOnline. However, if you see it working, then it should be just fine.