Use Case

This article will cover how to get into a user's MFA authentication settings so that you can remove, add, or modify existing authentication methods they have tied to their account.
Situations where you MAY need to use this:

• A user has gotten a new cellphone
• A user has gotten a new cellphone number
• A user has gotten a new office number
• To revoke existing MFA sessions
• To require a user to re-register for MFA
• User registered with the wrong phone number
• Or any number of issues with their initial device registration...

Identity Verification

• Should go without saying at this point but PPS ID verification is required before making ANY changes to a user's MFA authentication methods.

Accessing MFA Authentication Methods

• To Access a User's authentication settings,
  • Please visit the Azure Portal, your OUadmin credentials (or some other admin credentials) will be required.
  • Click "View" under Manage Azure Active Directory
  • Left side of screen, click on "Users"
  • Or you can just open this link in a new tab.
• Search the username/alias in the "Search Users" field, and click on the account when you find it
  NOTE: AzureAD is a bit more flexible than other ADs we use, so you may be able to just search the name.
• Under the "Manage" heading in the left side-bar, click on Authentication Methods
• A user can DIRECTLY access these settings themselves, assuming they can log in, via this page: https://mysignins.microsoft.com/security-info

Modifying MFA Authentication Methods

Once you're on a user's authentitication methods page, there's a couple different things you can do.

• Add authentication Method
• Reset Password <DO NOT DO THIS>
• Require re-register for MFA
• Revoke MFA Sessions
• Remove Authentication Methods
• Modify Authentication Methods

User has accidentally blocked their account

• When setting up, user may accidentally deny their own set up attempt.  This blocks their account and they will no longer be able to set up MFA.
• To find out if they have blocked themselves, go here:

1. Start at Azure Directory and click on Security

2.  On the following Menu, select MFA

3. Select Block/Unblock Users

You will now have a list of all user's that have blocked their accounts by denying an MFA log in attempt.  We currently have no access to unblock them, and the ticket must be sent to ITaP Collaboration as a work impaired Incident ticket.  Placing them on the MFA Exempt list does not override the MFA requirement even as a temporary workaround.  You can also just use this link to go directly to the MFA blocked users list: https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/BlockedUsers/fromProviders/

...to be continued