MFA – OKTA and Microsoft Authenticator

 

Audience – Tier 1, Tier 2, DEPOT, Cloud

 

Description:

          This guide explains the MFA in use and troubleshooting it.

 

Procedure:


User must be verified before proceeding: Make sure you are verifying user before resetting any security factor (password or Okta/MFA) verify number on file (have them provide to you, if they can't verify, you can call them at the listed number in their okta profile. 

 

If there is no number on file verify manager and department.

 

Mirum mainly uses OKTA but some users may also have Microsoft authenticator for MFA.

 

Should a user call/email about being locked out of OKTA:

  1. Open mirumpharma.okta.com in a web browser.
  2. In the OKTA Admin Console, navigate to Directory > People
  3. Locate the user you'd like to reset MFA for
  4. Select More Actions in the top right area of the User Profile 
  5. Select Reset Multifactor
  6. You'll then see the available Multifactor to reset.
  7. Click More Actions and select Clear User Behavior.
  8. Once reset, the user will be prompted to re-enroll in your MFA policy the next time they log in.

 

Should a user call/email about resetting Microsoft Authenticator

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory > Users > All users.
  3. Choose the user you wish to perform an action on and select Authentication methods. At the top of the window, then choose one of the following options for the user:
    1. Require Re-register MFA makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method.
    2. Note
    3. The user's currently registered authentication methods aren't deleted when an admin requires re-registration for MFA. After a user re-registers for MFA, we recommend they review their security info and delete any previously registered authentication methods that are no longer usable.
    4. Revoke MFA Sessions clears the user's remembered MFA sessions and requires them to perform MFA the next time it's required by the policy on the device.
  4. You can also update the user's MFA phone number from here as well.

Escalations:

If an escalation is necessary, please escalate to Tier 2 as the first POC, if Tier 2 is unavailable please escalate to SME.