When a user with MFA enabled loses his mobile phone then he wouldn’t be able to login to new devices or in the old devices where the token lifetime have expired. 

Currently, in this scenario, the user has to report to help desk team. Unfortunately, only the global admins can perform the force reset of MFA account for the user to reset his Strong authentication methods value to null to clear the old lost device.  

There is a workaround which can be used until we get a delegated RBAC role for performing this action. With Azure Automation account, creating a flow, integrating with the flow and delegating this action to help desk admins will reduce the load on global admins performing this action. 

Prerequisites:

  1. Create New Automation Accounts from the Azure portal. Azure subscription required. They provide 500 minutes free every month.
  2. Create new Work Flow from the global admin account. This action needs to be performed from a global admin account.

Create Azure Automation Account –

Proceed to https://portal.azure.com – Create an automation account.

Now add the msonline module-

Add Exchange Online Module – Access Azure Automation account and click Assets > Modules- Add MSOnline Module.

We can see the MSOnline modules are imported successfully.

Enter Global Admin Credentials in the Created Automation account –

Click on Automation accounts – Credentials – Enter Global Admin Credentials. Add scripts(below scripts)

This is the global admin credentials required which will execute the automation when we trigger the wworkflowfrom a delegated helpdesk admin account.

Now add the script which is required to execute this operation.



Param
     (
         [Parameter (Mandatory= $false)]
 
         [String] $UserEmail = ""
     )
 
     $creds = Get-AutomationPSCredential -Name 'TestDemo’
     Connect-MsolService -Credential $creds
#This command resets the MFA
Set-MSOLUser -UserPrincipalName $UserEmail -StrongAuthenticationMethods @()
#This Command Resets the password  with force login
#Set-MsolUserPassword -UserPrincipalName $UserEmail -NewPassword "S@c@r!ooii" -ForceChangePassword $true

After adding above Publish the scripts.

Now we need to create the flow from the global admin account to execute this action.

Head over to Flow (https://flow.microsoft.com ) and provision a new personal Flow. Click new flow – Click Create from Blank.

Choose – Flow Button for Mobile , Flow Button for Mobile – manually trigger a Flow , Select AA- Type useremail as input flow.

Navigate to triggers – Select Manually trigger a flow.

Type UserEmail as input flow-Click on New Step – Add an Action

Click on Choose an action – Select Azure Automation – Create a Job – Provide the required credentials and subscription details.

Provide the required credentials and subscription details.

Now we will see the flow is connected to Azure automation account

Now Navigate to My Flows- Select the new flow – Click on – Run Now

We can see the flow will be successfully started and execute the requested operation of resetting the MFA value to null for the user.

We can run them on automation accounts and see them for verification and they will be successful.

From the global admin Flow login – Delegate this flow to helpdesk admins as manage run only user permission.

The actual operation is executed by the global admin account however the helpdesk team will be triggering this action through the delegated run only permissions assigned to them in created Microsoft flow.