Forum Discussion
Verify remote user identity
Hi Everyone,
Right now I am looking for a solution to verify the identity of remote users when they contact Service Desk to ask for password reset.
More than ask security questions, do you know if Microsoft have a solution (such as the MFA Authenthicator) in which the service desk agent ask the user to validate his/her identity through a "Accept" button or to ask a Token.
Thanks
- As Christian mentions you can use SSPR for this. But we went a step further. We created a logic app connected to the incident management system. Whenever a user loses access to their MFA device or other scenario the helpdesk can trigger this logic app by creating a ticket. This sends out a TAP to the users's SSPR email address which is their private email address. Using the "authentication administrator" role the logic app could only create a TAP for a non admin users preventing privilege escalation attacks. Additionally the helpdesk has no permissions to view or edit these emails they can only trigger the logic app by creating an incident.
- Thanks,
Do you know if the use of SSPR apply if the user forget the Windows Log In password ?- If you’re referring to on-premises in hybrid environment there’s a password writeback feature https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback?source=recommendations
- Works for passwords... so long as MFA is setup. There doesn't seem to be any real solution provided by Microsoft to verify the identity of users who need to change MFA method if their most recent registered method is no longer usable or available.
Question remains-- how to validate users calling in?
Traceless.io is the easiest way to do this that I have seen GilFernandez!!! It allows verif many ways including Duo and send/receive data and files that self-delete so no data at rest issues and it integrates into our ticketing and Slack.
