π Runbook: ACT-ResetMFA
This runbook resets a userβs Multi-Factor Authentication configuration in Azure Active Directory / Microsoft Entra ID. Use this runbook when users lose their phones, get new devices, or cannot authenticate.
π Description
SymphonyDesk orchestrates a secure MFA reset by:
- Removing all registered MFA authentication methods
- Clearing Authenticator app registrations
- Revoking all active refresh tokens
- Logging the event
- Updating the corresponding Jira ticket automatically
This ensures the next login prompts for MFA setup again.
𧩠Required Parameters
| Name | Description | Example |
|---|---|---|
UPN | UserPrincipalName of the user | "john.doe@contoso.com" |
IssueKey | Jira Issue Key | "HD-332" |
π€ Example Webhook Payload (From Jira)
{
"customer": "Contoso",
"runbook": "ACT-ResetMFA.ps1",
"issue_key": "{{issue.key}}",
"params": {
"UPN": "{{issue.fields.customfield_10200}}"
}
}
π Example Jira Automation Rule
When: Issue transitioned β “Reset MFA”
Then: Send Web Request β SymphonyDesk API
{
"customer": "Contoso",
"runbook": "ACT-ResetMFA.ps1",
"issue_key": "{{triggerIssue.key}}",
"params": {
"UPN": "{{triggerIssue.fields.customfield_10200}}"
}
}
π₯ Response Examples
Success
{
"status": "success",
"message": "MFA reset completed for john.doe@contoso.com"
}
Error
{
"status": "error",
"message": "User not found in Azure AD",
"raw": "Get-MgUser : Resource not found..."
}
π Requirements
- Customer must have Azure App Registration configured
- App must have the following Graph permissions:
User.ReadWrite.AllDirectory.ReadWrite.AllAuthenticationMethod.ReadWrite.Alloffline_access
- SymphonyDesk Runner-Windows must be able to reach:
- graph.microsoft.com
π Version History
| Version | Date | Changes |
|---|---|---|
| 1.0 | 2025-01-22 | Initial MFA reset runbook |