Skip to content

How to enable Reset MFA on Termination

This section explains how to enable Reset MFA functionality under Termination in Entra and Hybrid AD workflows.

  • Required Roles and Permissions
  • Configure Workflow to Enable Reset MFA on Termination

Required Roles and Permissions

The following are the roles and permissions required by Hire2Retire to successfully reset MFA on Termination.

Customer Owned Application

Application Permission

Set up application permissions for any application that needs to authenticate itself without the user's help or consent. To authorize a registered application to access the Microsoft Graph API, navigate to API permissions > Add a permission > Microsoft APIs > Microsoft Graph > Application permissions.

RoboMQ needs the following permissions on your registered application to provide a seamless integration experience:

Scopes Explanation
UserAuthenticationMethod.ReadWrite.All Read and write all users' authentication methods

Entra ID Application

Figure 1. Adding UserAuthenticationMethod Permission to Entra Application

Service Provider Application

Entra ID application on Hire2Retire uses OAuth authorization. By linking your Entra ID account with Hire2retire, you can authorise the RoboMQ application to have delegated access on your behalf. You will be provided with a consent window whenever new resource access permission is required by Hire2Retire. RoboMQ needs the following permissions on your account to provide a seamless integration experience:

Scopes Explanation
UserAuthenticationMethod.ReadWrite.All Read and write all users' authentication methods

Roles

Entra ID roles provide the privileges required for various Entra ID actions.

Role Description
Authentication Administrator Can view, set, and reset authentication method information for any non-admin user.

How to give Authentication Administrator Role

Following are the steps to assign the Authentication Administrator role:

  1. Log in to the Entra ID portal and open the user to whom you want to assign the Authentication Administrator role. Click the Assigned Roles option on the left-hand side.

    Entra ID Portal

    Figure 2. Shows Assigned Role option on Entra ID portal

  2. Click on the Add assignments option

    Entra ID Portal

    Figure 3. Shows Add Assignment option on Entra ID portal

  3. Search using filters or enter 'Authentication Administrator' in the search bar.

    Entra ID Portal

    Figure 4. Shows Authentication Administrator Role on Entra ID portal

  4. Select 'Authentication Administrator' and click the 'Add' button.

    Entra ID Portal

    Figure 5. Add Authentication Administrator Role to the user

Configure Workflow to Enable Reset MFA on Termination

  1. Visit Hire2Retire and navigate to the workflow where you want to enable the Reset MFA functionality.

  2. Click on the Lifecycle Business Rules page under the Identity Tab.

    Lifecycle Business Rules

    Figure 6. Lifecycle Business Rules.

  3. Under the Termination lifecycle, select the checkbox with label Reset MFA on Termination

    Select Reset MFA on Termination

    Figure 7. Select Reset MFA on Termination.

  4. If the service account or application does not have the required permissions, the checkbox will be disabled and Hire2Retire will display a warning indicating permissions or roles are missing.

    Required roles/permissions are not present

    Figure 8. Required roles/permissions are not present.

  5. Once the required permissions or roles are assigned to the service account or application, refresh the page.