MFA Reset Automation: Reducing Lockout Tickets by 90%

MFA reset automation is the process of programmatically resetting or re-registering a user's multi-factor authentication methods when they are locked out of their account, using the Microsoft Graph API's authentication methods endpoints. Automated MFA resets reduce the average resolution time from 25–40 minutes to under 60 seconds and can eliminate up to 90% of MFA-related helpdesk tickets.

MFA lockout tickets have quietly become one of the fastest-growing categories in IT support. Three years ago, they barely registered in most organizations' top 10. Today, they are consistently in the top 5 — and climbing. The reasons are structural: more BYOD devices, frequent authenticator app updates that break registrations, and users switching phones without transferring their MFA methods. Every time a user loses access to their second factor, they are completely locked out.

Unlike a password reset, an MFA lockout cannot be solved with self-service. The user cannot verify their identity through MFA to reset their MFA — that is the whole problem. Every one of these tickets requires human intervention, and the average resolution time is 20–35 minutes because of the identity verification step.

Why MFA Lockouts Are Growing

The surge in MFA lockout tickets is driven by four trends that are not going away:

• Phone upgrades — When a user gets a new phone and restores from backup, the Microsoft Authenticator app often does not transfer correctly. The old device's registration becomes invalid, and the user has no second factor.
• BYOD expansion — Personal devices are less controlled than corporate devices. Users uninstall apps, factory reset phones, or switch to a different device without notifying IT.
• Authenticator app updates — App updates occasionally reset the authentication state. Microsoft has improved this, but third-party TOTP apps are less reliable.
• Security policy changes — Organizations tightening MFA requirements (e.g., requiring phishing-resistant methods, disabling SMS) trigger a wave of re-enrollment issues.
• Lost or stolen devices — A user whose phone is lost or stolen has no access to their authenticator app and no way to receive SMS codes.

Gartner estimates that MFA-related tickets now account for 20–30% of identity and access management workload in organizations with full MFA enforcement. For a 2,000-user company, that can mean 150–250 MFA tickets per month.

The Manual Process and Its Real Cost

Here is what happens today when an MFA lockout ticket comes in:

• 1. User submits a ticket: "I can't log in, my authenticator isn't working" (5 minutes for the user to figure out it is an MFA issue and submit a ticket)
• 2. Ticket sits in queue: Average wait time 30–90 minutes depending on staffing
• 3. Analyst picks up the ticket: Reads the description, identifies it as an MFA reset (2 minutes)
• 4. Identity verification: Analyst must verify the user is who they claim to be. This is the hard part — you cannot use MFA to verify someone who cannot do MFA. Options include manager confirmation, security questions, video call, or callback to a known phone number (10–20 minutes)
• 5. MFA method reset: Analyst navigates to Azure AD / Entra ID portal, finds the user, deletes their authentication methods, and requires re-registration (5 minutes)
• 6. User re-enrollment: Analyst walks the user through setting up Authenticator again, or waits for the user to complete it on their own (5–10 minutes)
• 7. Ticket documentation and closure: Analyst documents the verification method used and closes the ticket (3 minutes)

Total: 25–40 minutes of analyst time per ticket, plus 35–120 minutes of user downtime. At 200 MFA tickets per month and $35/hour analyst cost, that is $2,900–$4,600/month — $35,000–$55,000/year just for MFA resets.

The Identity Verification Challenge

The reason MFA resets are harder to automate than password resets is identity verification. When you reset a password, the risk is moderate — the user gets a temporary password and must change it. When you reset MFA methods, you are removing the primary security control on the account. If an attacker convinces your helpdesk to reset MFA on a target account, they now control that account completely.

Common verification methods and their trade-offs:

• Manager confirmation (email or Teams message) — Moderate security, slow (depends on manager response time), but difficult to social-engineer
• Callback to phone number on file in HR system — Good security if the HR data is accurate, but fails if the user's phone is the one that is lost
• Video call with photo ID — High security, but does not scale and requires trained staff
• Security questions — Low security. Should not be used as the sole verification method.
• Temporary Access Pass — Microsoft's built-in solution. An admin generates a time-limited, one-use passcode that the user enters instead of MFA to re-register their methods. Secure, auditable, and does not require the analyst to be on the call during re-enrollment.

Using Graph API for MFA Method Management

Microsoft Graph API provides endpoints for reading and managing a user's authentication methods. These are the key operations for MFA reset automation:

// List a user's registered authentication methods
GET https://graph.microsoft.com/v1.0/users/{userId}/authentication/methods

// Delete a specific authentication method (e.g., phone)
DELETE https://graph.microsoft.com/v1.0/users/{userId}/authentication/phoneMethods/{id}

// Delete an authenticator app registration
DELETE https://graph.microsoft.com/v1.0/users/{userId}/authentication/microsoftAuthenticatorMethods/{id}

// Create a Temporary Access Pass
POST https://graph.microsoft.com/v1.0/users/{userId}/authentication/temporaryAccessPassMethods
{
  "lifetimeInMinutes": 60,
  "isUsableOnce": true
}

The required permission is UserAuthenticationMethod.ReadWrite.All, which is a high-privilege permission. Your app registration should be tightly scoped, and access to trigger MFA resets should be restricted to specific service accounts or automation identities.

Automation Approaches

Approach 1: Semi-Automated with Manager Approval

This is the safest starting point. The automation detects an MFA lockout ticket, identifies the user, and sends a Teams message or email to their manager asking for confirmation. Once the manager approves, the system resets the MFA methods and generates a Temporary Access Pass, which is sent to the user through a secure channel. The analyst is removed from the loop, but a human (the manager) still provides identity verification.

This approach cuts resolution time from 30 minutes to under 5 minutes (mostly waiting for manager response) and removes all analyst time from the process.

Approach 2: Risk-Based Automatic Reset

For organizations comfortable with more automation, a risk-based approach can handle low-risk MFA resets automatically while escalating high-risk ones:

• Low risk: User is on the corporate network (known IP), has not had an MFA reset in the last 90 days, and the account shows no sign-in anomalies. Auto-reset with Temporary Access Pass.
• Medium risk: User is off-network but has a clean sign-in history. Manager approval required before reset.
• High risk: Multiple recent failed sign-ins, unfamiliar location, or account flagged by Entra ID Protection. Escalate to security team — no automated reset.

Measuring the Impact

Teams that implement MFA reset automation typically see these results within the first 90 days:

• Analyst time per MFA ticket: from 25–35 minutes down to 0–5 minutes (90%+ reduction)
• User downtime: from 1–3 hours down to 10–15 minutes
• Total MFA ticket volume handled by analysts: reduced by 85–95% (automated resolutions)
• Cost savings for 200 tickets/month: $30,000–$45,000/year in analyst time alone
• Security improvement: consistent identity verification process replaces ad-hoc analyst judgment

Support Team implements the risk-based approach with built-in identity verification workflows. It reads MFA lockout tickets from ServiceNow, assesses risk based on the user's sign-in context, and either auto-resolves with a Temporary Access Pass or routes through manager approval — all with a full audit trail. No scripting, no Graph API permissions to manage, and no manual token rotation.

Frequently Asked Questions

Is it safe to automate MFA resets?

Automated MFA resets are safe when identity verification is performed before the reset. Options include manager approval via email or Teams, a secondary verification channel (SMS to a registered backup number), or risk-based assessment using Azure AD sign-in risk signals. The key is that automation handles the execution, not the authorization decision.

What is a Temporary Access Pass?

A Temporary Access Pass (TAP) is a time-limited passcode issued by Azure AD that allows a user to sign in and register new MFA methods. TAPs are created via the Microsoft Graph API and expire after a configurable period (1–24 hours). They are the recommended method for MFA re-enrollment because they do not require the user to have any existing MFA method available.

How long does an automated MFA reset take?

The Graph API call to reset authentication methods or issue a Temporary Access Pass takes under 2 seconds. With manager approval in the loop, the end-to-end time is typically 5–15 minutes (limited by the manager's response time). Without approval requirements, the process completes in under 60 seconds.