How Admins can Manage MFA

TruGrid does not recommend ever turning off MFA (Multi-Factor Authentication). A username and password alone is not secure in today's world. However, TruGrid provides the option to turn off MFA if you choose to accept the risk. If you do decide to turn off MFA for a user, the "Remember Me" option will no longer show for the user, to save their password.

Overview

This feature allows domain administrators to manage MFA for AD users reported from the TruGrid Sentry agent (in other words, non Azure AD users). If users are authenticating via Azure AD, they can utilize the built-in MFA provided by Azure AD.

What can be done

- Reset MFA for all AD users in domain or for specific user(s) in domain without resetting a phone number
- Reset MFA for all AD users in domain or for specific user(s) in domain and reset phone number
- Turn ON/OFF MFA for all AD users in domain or for specific user(s) in domain. MFA is required for admin users.

Note that users can also still self-reset their MFA.

How to access this feature

MFA management can be found under Security Management (top right corner dropdown) within the Company Management or Customer Management area. Within Customer Management, you must first select a customer domain.

Company Security Management View

Customer Security Management View

In case, if a domain is not yet connected via a TruGrid Sentry Agent, or is connected via Azure AD, this Security Management section will not be available to select in the dropdown.

If no users are reporting in yet for a domain, then you may see a message saying so. In such case, please investigate why users may not yet be reporting in.

If users are reporting in, you will see the MFA Management tab. This will default to a “View by” of “MFA Enabled”, meaning it will show all users who have MFA enabled, whether or not MFA is completely setup by them yet. If a user has completely setup their MFA, then it will show their MFA phone number they registered, along with the date they set it up. If their MFA was setup prior to the release of this functionality, the date may display as "N/A".

MFA Management Tab

How to adjust MFA

As an admin you can hover your mouse over a user who has MFA setup and a button called “Manage MFA” appears.

You can now choose to Disable MFA or Reset MFA (for those who has MFA setup already). MFA cannot be disabled for Admin users.

If you hover over a user who does not yet have MFA set up, then a button “Disable MFA” appears. If you select Disable MFA, a confirmation prompt will show, once you confirm this the user will no longer be required to setup or use MFA when they login going forward and the user will be moved to the "MFA Disabled" list.


If you select to "Reset MFA", then a different confirmation prompt will appear. By default when we Reset MFA, we also reset the phone number. If this option is kept selected, this means with the next login, the user will be required to follow the full MFA setup process (QR code scan + phone number) to be able to login. If this option is deselected, then the next time the user logs in, they will only need to scan the QR code to setup MFA and login. Once MFA is reset, the user is placed into the "MFA in Reset Mode" list.


If you select one or more check boxes to manage MFA for one or more users, the View By option will be replaced with the number of selected users and then buttons called Delesect and "Manage MFA" or "Disable MFA" buttons will show.

If you have selected users that have both options available, it will show you a "Manage MFA" option. If only users with "Reset MFA" options are available, then it will show a "Disable MFA" option.


You can switch between View By options using the dropdown.



Reference:
User MFA Self-Reset
Forgot Password
Admin MFA Requirements

Updated on: 17/01/2024