Microsoft highly recommends enabling MFA on all Entra ID users to protect their environment against potential attackers and avoid getting breached. This can cause a lot of issues and damage for the company from reputation problems to large fines.
The latest figures from Microsoft Threat Intelligence research show that more than 99% of attacks are password attacks. Microsoft alone registers 7,000 password attacks per second!
In addition to passwords, hackers can also attempt to carry out MFA attacks by swapping SIM cards, using insecure MFA settings, conducting adversary-in-the-middle attacks, or bombarding a user with MFA requests until they are annoyed and confirm the request.
Managing these settings can be a hurdle sometimes, especially when a user is losing or changing the device, or when the company decides to change some of the security methods, such as removing SMS or voice call from the list of available options, as these are less secure. If a potential attacker is trying to hack into an account, or has already compromised an account in Entra ID, the administrator must act immediately and reset the MFA settings on this account.
Resetting the MFA sounds easy, but …
When you need to reset your MFA, there are two ways to do this. The favored option is in the Entra ID Admin Center or by using the Graph API.
To manage the MFA settings in the Entra ID Admin Center, either the Authentication Administrator or the Privileged Authentication Administrator role is required. Both roles give the dedicated user more permissions than required to reset just the MFA settings of a user - specifically, the Privileged Authentication Administrator role has more extensive permissions.
Using Graph API requires more skills than just going into the Admin Center and can also cause issues by mistyping or executing incorrect commands. The other problem is, if an administrator is not so experienced with Graph API and therefore not very familiar with it, it can be very time consuming to find the problem if something is not working as expected - plus, the error messages are not always understandable.
In addition to the purely administrative issues, the time factor is also a challenge. In globally active companies or due to the widespread introduction of remote work from a home office during Covid, as well as companies that have employees working everywhere, there is also a need for more flexible and faster ways to carry out tasks such as MFA reset.
Why use Active Roles to reset your MFA?
Easily delegate the permission (Zero Trust) - The right to reset the users’ MFA can be delegated to anyone in the company - even to the end user if required. Also, a Temporary Access Token (TAP) can be generated.
Streamlined responsibility distribution and grouping - Easier grouping of which users are allowed to change the MFA settings, e.g. by country or department.
More efficient processes and faster response – Delegate the permission also to non-IT users - even for some critical users directly. No need to wait – you can now provide 24/7 worldwide support.
No coding skills or heightened permissions required – Reset MFA easily without coding skills or being member of any of the Entra ID administration groups.
Simplified compliance reporting using change history - Central reporting of all actions in Entra ID and also in Active Directory for all objects.
One Identity Active Roles can manage both Active Directory and Entra ID together with one single console. Even more, with Active Roles, a true Zero Trust least privilege model can be easily implemented. In addition to providing proxy security against Active Directory and Entra ID, Active Roles also offers automation functions and self-service. Tasks can be delegated very granularly not only to any IT employee, but even to normal users, without adding them as members in highly authorized groups. This reduces the risk that users have too many permissions, or that their permissions are at a higher level than needed. It also ensures that employees who need to perform a privileged activity for a short time, and could be forgotten, can be removed from the relevant group when those privileges are no longer needed.
Active Roles not only offers the possibility to delegate the authorization to reset the MFA settings, users can also be added to a group for which an authorized user group can reset the settings.
In addition, the creation of the temporary access token can be delegated in the same way as resetting the MFA settings.
Any user with the appropriate delegated permissions can view the information of the created Temporary Access Passcode.
In summary
One Identity Active Roles can secure, automate and simplify all relevant activities in Microsoft Active Directory as well as in Entra ID. Tasks such as resetting MFA for users can be easily delegated to non-IT personnel in a much more granular way. Permissions and functions can be delated instead of making users a member of highly privileged groups. This prevents the scenario where users are not removed when the privileges are no longer needed, which can cause a security risk. In a security event, everyone with the appropriate delegated privileges can reset MFA settings for any account to avoid becoming a victim of an attack.
In addition, recurring tasks can be automated to keep the status of the directories up to date, giving administrators and security officers peace of mind.
