Managing Entra Authentication Methods

Welcome to the community, Jason Molaison 🙂!

That is an awesome idea and alligns with security best practices!
Just because I'm a curious guy by nature, I have a couple of clarifying questions around this idea.

For your workflow, would you like that to be a single option in the Archive/Disable/Delete wizards or do you have a use-case where you would want those two actions (i.e. Revoke MFA Sessions and Remove Authentication Devices) as separate options?

Additionally, would you want somekind of approvals workflow step so a Tier 1 engineer doesn't accidently disable the CEO's account without getting the Service Manager to sign-off on it? 

We appreciate your feature request—community input is essential to our ongoing development.

Next steps:
     • We will review your suggestion and update its status during the evaluation process.
     • If further clarification is needed, we'll contact you via comments.

We also encourage others to contribute through feedback and voting.

Sorry, I missed Dave’s earlier response / questions.

 

It would be spectacular if this could be added to the Archive/Disable/Delete Wizard. Currently we do not have a need to use those actions outside of user offboarding.

 

I was thinking of adding a separate request for an approval workflow. To your point, it would be a good idea to have a separate set of eyes confirm that this destructive action should be taken. 

No problem, Jason. I know we all get busy. 🙂

Coming back to think about this again, I could see you wanting to do this type of thing if someone says, “I lost my phone!”, “My MFA Tokens were stolen!", “Help! I got a new phone and can't login now.”, etc.
It might make sense to have this as an option from the user action menu, but also include it to the other wizards? 
Maybe add an option to generate a Temporary Access Pass for a Risky User (lots of cross-over to this other request)? 🤔

I better stop now before I get super crazy with this.

Do you think my crazy ramblings fit your use-cases, or should we focus on keeping it simple and just worry about user-offboarding, first?

 

Dave, you are absolutely correct. We do have those circumstances where we need to one-off rest a user's 2FA authentication method. So yes, it would be useful to have that option in the user action menu. As well a TAP option would be useful. We do not currently use that feature, but have discussed its potential place. One thought we had, was as an initial login option for new users as part of the onboarding process. To use something the user knows, like a partial SS# or DOB. Which then the user's would be prompted to set a permanent password, removing the need to send out initial passwords to new users. Also, it could be useful for misplaced passwords. 

 

I think you are going down a very productive path, and I like it! We are looking forward to the future enhancements of the product, to make our team more streamlined. Keep em coming.

Hi, regarding our MSP we do use : reset pwd, revoke session, create TAP (+bonus = delete authentication methods). We don't need an approval workflow for that. Regarding the TAP, it's quite important for us, we heavily rely on it. Thanks

Thanks, Jason and Benjamin. 
It seems like we're on the right track with this and are getting quite a few votes for it as well.

Let's see what our Product team can do with these ideas. 🤩

As a security remediation, the ability to revoke user sessions, revoke MFA tokens and force re-enrollment of MFA is our normal practice if someone follows through on a phishing link. I would love to have these three as an option in the user actions menu along with the reset password option. 

Hey James, 

Keep an eye on our next release (6.5) for some movement on those features!

Thanks

Andy Weidner