Is there a way to reset the 2FA grace period in M365?

[Velvis]

I am in the middle of reinstalling Office for a user who's account doesnt have the 2fa setup (She said it was but when I try to login into portal.office.com it is requiring the download of authenticator.) She is unavailable today and honestly very limited tech wise anyways.

Is there a way I can reset the grace period so I can login to her account and redownload and setup a fresh copy of Office?

 

[YeOldeStonecat]

I go into Azure...switch their contact phone to a cell we have at the office, and then log in as the user, "can't use my auth now..."...select SMS our office cell phone...boom, I'm in. Switch back to end user after getting squared away.

 

[Sky-Knight]

In Azure you can also check the account's authentication methods, remove what's there, and then flag the account for reenrollment. If you do that and reset the password, it'll force you into the MFA configuration process on next login and there's a not now button to start the one or two week grace period.

THAT BEING SAID...

You should never need the user's account to "install office". That's what the Office Deployment Tool is for. https://config.office.com to make the XML you need, and you can install whatever M365 environment you need on any system without ever logging in.

Now if you're trying to tune her desktop environment for her then you're going to have to do what Stonecat suggests and enroll another authenticator on her account while resetting her password so you can login as her, and then go back later and enroll her phone.

Side note, I disable SMS as an authenticator option. That crap is too much of a problem.

 

[Velvis]

I go into Azure...switch their contact phone to a cell we have at the office, and then log in as the user, "can't use my auth now..."...select SMS our office cell phone...boom, I'm in. Switch back to end user after getting squared away.

The issue is when using her computer I login to portal.office.com with her credentials and then it says More Information Required your organization needs more information to keep your account secure and brings me to a pop up with info to download the MS authenticator app. There is no opportunity to not use the authenticator app.

 

[Velvis]

In Azure you can also check the account's authentication methods, remove what's there, and then flag the account for reenrollment. If you do that and reset the password, it'll force you into the MFA configuration process on next login and there's a not now button to start the one or two week grace period.

THAT BEING SAID...

You should never need the user's account to "install office". That's what the Office Deployment Tool is for. https://config.office.com to make the XML you need, and you can install whatever M365 environment you need on any system without ever logging in.

Now if you're trying to tune her desktop environment for her then you're going to have to do what Stonecat suggests and enroll another authenticator on her account while resetting her password so you can login as her, and then go back later and enroll her phone.

Side note, I disable SMS as an authenticator option. That crap is too much of a problem.

So I reset the methods and used my authenticator temporarily and I was able to log in and reinstall office.

I will check out the office deployment tool.

Also while messing around with this I noticed that on the page located here: account.activedirectory.windowsazure.com

It says multifactor authorization is disabled for all users. Which seems odd since it seems enabled.

 

[Sky-Knight]

So I reset the methods and used my authenticator temporarily and I was able to log in and reinstall office.

I will check out the office deployment tool.

Also while messing around with this I noticed that on the page located here: account.activedirectory.windowsazure.com

It says multifactor authorization is disabled for all users. Which seems odd since it seems enabled.

All M365 Tenants get an Azure AD instance that backs them up you can control via the Azure Portal. That Azure AD instance has Security Defaults enabled by default, Security Defaults enforces MFA on all user accounts.

You can configure the behavior of MFA from the M365 Admin portal, Users -> Active Users. At the top of the active users list, is a Multi-Factor Authentication button. Clicking it takes you here: https://account.activedirectory.win...tifactorVerification.aspx?BrandContextID=O365

This page will show everything disabled, but the enabled / disabled bits do not matter if Security Defaults are enabled. They also do not matter if Security Defaults are disabled, and Conditional Access enables MFA. However, at the top of this screen is a title bar that says "multi-factor authentication", under that are two tabs, users and service settings. These two tabs on a glance do NOT appear clickable... but they ARE!

And that Service Settings tab is where the configuration of how MFA works is set. Again assuming you do not have Conditional Access.

I disable calls to phones, and text message to phone. I leave the bottom two. I do not want users mucking about with security codes flying around, I want them using push notifications so they can swap over to phone sign on. Which I believe has to be enabled separately in Azure AD, I always forget... but I also always check it when I bring someone new onboard. Once a user has used phone signon once, they will NEVER GO BACK. And that's good, because it means they FORGET THEIR PASSWORDS, which is also GREAT. What's forgotten cannot be stolen.