Azure: Grant MFA delegation to helpdesk through automation run book and Microsoft Flow
When a user with MFA enabled loses his mobile phone then he wouldn’t be able to login to new devices or in the old devices where the token lifetime have expired.
Currently, in this scenario, the user has to report to help desk team. Unfortunately, only the global admins can perform the force reset of MFA account for the user to reset his Strong authentication methods value to null to clear the old lost device.
There is a workaround which can be used until we get a delegated RBAC role for performing this action. With Azure Automation account, creating a flow, integrating with the flow and delegating this action to help desk admins will reduce the load on global admins performing this action.
Prerequisites:
- Create New Automation Accounts from the Azure portal. Azure subscription required. They provide 500 minutes free every month.
- Create new Work Flow from the global admin account. This action needs to be performed from the global admin account.
- Enter the Global admin Credentials in the created automation account. Very Important that this account used to execute must not have MFA enabled.
- Import the MSOnline module from the gallery.
Create Azure Automation Account –
Proceed to https://portal.azure.com – Create an automation account.
https://exchangequery.files.wordpress.com/2019/02/image.png?w=600
Now add the msonline module-
Add Exchange Online Module – Access Azure Automation account and click Assets > Modules- Add MSOnline Module.
https://exchangequery.files.wordpress.com/2019/02/image-1.png?w=600
We can see the MSOnline modules are imported successfully.
https://exchangequery.files.wordpress.com/2019/02/image-2.png?w=600
Enter Global Admin Credentials in the Created Automation account –
Click on Automation accounts – Credentials – Enter Global Admin Credentials. Add scripts(below scripts)
This is the global admin credentials required which will execute the automation when we trigger the workflow from a delegated helpdesk admin account.
https://exchangequery.files.wordpress.com/2019/02/image-4.png?w=600
Now add the script which is required to execute this operation.
https://exchangequery.files.wordpress.com/2019/02/image-5.png?w=600
Param
(
[Parameter (Mandatory= $false)]
[String] $UserEmail = ""
)
$creds = Get-AutomationPSCredential -Name 'TestDemo’
Connect-MsolService -Credential $creds
#This command resets the MFA
Set-MSOLUser -UserPrincipalName $UserEmail -StrongAuthenticationMethods @()
#This Command Resets the password with force login
#Set-MsolUserPassword -UserPrincipalName $UserEmail -NewPassword "S@c@r!ooii" -ForceChangePassword $true
After adding above Publish the scripts.
https://exchangequery.files.wordpress.com/2019/02/at4.png?w=600
Now we need to create the flow from the global admin account to execute this action.
Head over to Flow (https://flow.microsoft.com ) and provision a new personal Flow. Click new flow – Click Create from Blank.
https://exchangequery.files.wordpress.com/2019/02/at5.png?w=600
C hoose – Flow Button for Mobile , Flow Button for Mobile – manually trigger a Flow , Select AA- Type useremail as input flow.
https://exchangequery.files.wordpress.com/2019/02/image-6.png?w=600
Navigate to triggers – Select Manually trigger a flow.
https://exchangequery.files.wordpress.com/2019/02/image-7.png?w=600
Type UserEmail as input flow-Click on New Step – Add an Action
https://exchangequery.files.wordpress.com/2019/02/image-8.png?w=600
Click on Choose an action – Select Azure Automation – Create a Job – Provide the required credentials and subscription details.
https://exchangequery.files.wordpress.com/2019/02/at9.png?w=600
Provide the required credentials and subscription details.
https://exchangequery.files.wordpress.com/2019/02/at10.png?w=600
This part is very important we need to select the input as UserEmail as below.
This parameter is required for the run book to execute the operation. After that, we can see that the RunBook Parameter is UserEmail.
Now we will see the flow is connected to Azure automation account
https://exchangequery.files.wordpress.com/2019/02/image-9.png?w=600
Now Navigate to My Flows- Select the new flow – Click on – Run Now
https://exchangequery.files.wordpress.com/2019/02/image-11.png?w=600https://exchangequery.files.wordpress.com/2019/02/image-10.png?w=600
We can see the flow will be successfully started and execute the requested operation of resetting the MFA value to null for the user.
https://exchangequery.files.wordpress.com/2019/02/image-13.png?w=600
We can run them on automation accounts and see them for verification and they will be successful.
https://exchangequery.files.wordpress.com/2019/02/image-12.png?w=600
From the global admin Flow login – Delegate this flow to helpdesk admins as manage run only user permission.
https://exchangequery.files.wordpress.com/2019/02/image-14.png?w=600
The actual operation is executed by the global admin account however the helpdesk team will be triggering this action through the delegated run only permissions assigned to them in created Microsoft flow.