Share via


Office 365: Grant MFA Delegation to helpdesk

Currently there is no option to delegate the MFA reset action to help desk team via and admin role. As of now only the global admin have the required privilege to perform this action from the azure portal. In this article we had a look into how to reset this option by creating an automation account and integrating with Microsoft Flow. Though this is a good option there is another way where this action can be delegated via AD manager plus. 

Most of the organizations have AD Manager plus and its features consumed on their on premise tenant. This can be used to execute office 365 and Azure AD operations in a hybrid environment. In this article we will have a look at the steps to integrate AD manager plus with Azure AD to  delegate this action to the help desk team.

Below are the prerequisites :

  1. AD manager plus server must be present in the hybrid domain. Not necessarily a hybrid domain it works well for cloud only accounts as well.
  2. The connectivity to the Azure IPs and URLs are required to connect azure module connect-msolservice
  3. Azure AD modules must be downloaded  on the AD manager plus server.
  4. AD delegation must be already assigned to the help desk team with AD management role.
  5. Global admin account is required to specify them as encrypted credentials with key on the AD manager plus server. 

Implementation Steps

First we need to create the encrypted credentials and key . Below command can be used.

$KeyFile = "Z:\ManageEngine\ADManager Plus\bin\AES256.key"
$Key = New-Object Byte[] 32
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | out-file $KeyFile
$credential = Get-Credential
$credential.Password | ConvertFrom-SecureString -Key $Key | Out-File "C:\ManageEngine\ADManager Plus\bin\credential.cred"

Kindly note that if we try to execute with plain text password it will not work, Since in our case we are doing an invoke session from AD manager plus and hence it works only with key file.

Later place this script  on the AD manager plus bin folder as .ps1.

param($userPrincipalName)
$mfalog = "Z:\ManageEngine\ADManager Plus\bin\MFAActions.log"
Get-Date | Out-File $mfalog -Append
$Key = Get-Content "Z:\ManageEngine\ADManager Plus\bin\AES256.key"
"`nread the Key File" | Out-File $MFAlog -Append
$pswd = Get-Content "C:\ManageEngine\ADManager Plus\bin\credential.cred" | ConvertTo-SecureString -Key $Key
"`nread the password File" | Out-File $MFAlog -Append
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList "autoadm@domain.com",$pswd
"`nCreated the password Object" | Out-File $MFAlog -Append
Connect-MsolService -Credential $cred
"`nConncted to MSOL" | Out-File $MFAlog -Append
Set-MsolUser -UserprincipalName $userPrincipalName -StrongAuthenticationMethod @()
"`nUpdated User $userprincipalname" | Out-File $MFAlog -Append

The above script will also  generate MFAActions.log file in the bin folder which will help us to track the MFA actions performed via AD manager by the help desk admins.

Now having done the Azure AD part we need to access Manage Engine AD Manager Plus and perform the below action

  1. Go to AD Mgmt - User Modification Templates - Click Create 
  2. Leave all the fields on all the tabs as default - Navigate to Custom Attributes - Select Run Custom Script on successful user modification script command:  add the below format to call our script via AD manager plus
    1. PowerShell  -File mfa,ps1 %userprincipalname%
  3. Once done click on save template.

Once this above action is completed help desk can reset via below method - 

AD mgmt - Modify Single user - Search for affected user - Modify user - Change template - Choose MFA reset template - then click on update user.

Now the MFA value will be cleared for the requested user.

We can also check the status from Azure AD connected Powershell 

(Get-MSOlUser  -UserPrincipalName user@domain.com).strongauthenticationmethods

The value should return null.