A Passwordless Route Through New-Phone MFA Recovery
Verified ID proofing and Temporary Access Pass automation give new-phone users secure MFA recovery without a manual reset workflow.

Operational brief
What you will achieve
Automate away manual IT friction using modern Zero-Trust principles and scripting.
Target Tier
L1 - L3 support
Applicable to all tiers of the service desk.
Time to set aside
About 35 minutes
Includes configuration, validation and deployment.
Tutorial navigation
Every helpdesk on earth has this ticket queued right now: “I got a new phone and Microsoft Authenticator won’t load my account.” It looks harmless. It is, in fact, one of the highest-volume tickets in the identity category, and it is also the exact social engineering vector used in several major breaches over the past two years — an attacker calls the helpdesk, claims to have a new phone, and asks for their MFA method to be reset. If your verification process is a technician asking “what’s your employee ID and can you confirm your manager’s name?”, you don’t have an identity control. You have a guessing game with a human on both ends.
#The Old Way: Verifying a Stranger’s Voice
The traditional flow looks like this: user calls in, technician opens the ticketing tool, asks two or three knowledge-based questions (date of birth, employee ID, department), maybe pings the user’s manager on Teams to “just double check,” then goes into the Entra ID admin centre, deletes the old MFA method, and tells the user to re-register. Fifteen to twenty-five minutes per ticket. Multiply that by a mid-size organisation onboarding new devices every single day and you are burning entire full-time-equivalent headcount on a problem that has nothing to do with fixing technology — it’s a manual identity proofing exercise being performed badly by someone with no forensic training.
Worse: the technician doing the verification usually has the standing privilege to reset MFA for any account in the tenant, including the CFO. That’s a single point of failure sitting in your L1 queue.
#Why This Ticket Is a Security Liability, Not Just a Time Sink
Two separate problems are bundled into one ticket:
- Identity proofing — proving the caller is actually the employee they claim to be.
- Credential re-issuance — giving that verified person a way back into their account.
The old way solves both problems with the weakest possible tool: a human conversation. The new way separates them cleanly. Identity proofing gets handed to a cryptographically verifiable credential. Credential re-issuance gets handed to a time-boxed, single-use passwordless token. The technician — and eventually, no technician at all — is removed from the trust decision entirely.
#The New Way: Verified ID + Temporary Access Pass
Microsoft Entra Verified ID lets you issue a digital credential to employees during onboarding (an “Employee Credential”) that lives in an authenticator wallet on their phone, independent of any single device’s MFA registration. When someone loses their MFA method, they don’t need to prove their identity to a technician — they present their Verified ID credential to a self-service kiosk or bot, and if the cryptographic signature checks out, the system automatically issues a Temporary Access Pass (TAP) and walks them through re-registering MFA. No human touches the decision.
#Step 1: Define the Verified ID Presentation Request
First, configure what credential the self-service portal demands before it will even talk to the user. This JSON is the presentation request your verifier service sends to the user’s authenticator app:
1{
2 "authority": "did:web:kbytech.com",
3 "includeQRCode": true,
4 "registration": {
5 "clientName": "KBY Identity Recovery Portal"
6 },
7 "callback": {
8 "url": "https://selfservice.kbytech.com/api/verify-callback",
9 "state": "mfa-reset-flow",
10 "headers": {
11 "api-key": "__SECRET_FROM_KEYVAULT__"
12 }
13 },
14 "requestedCredentials": [
15 {
16 "type": "EmployeeCredential",
17 "purpose": "Verify employee identity prior to MFA reissuance",
18 "acceptedIssuers": ["did:web:kbytech.com"],
19 "configuration": {
20 "validation": {
21 "allowRevoked": false,
22 "validateLinkedDomain": true
23 }
24 }
25 }
26 ]
27}Notice there is no field anywhere for “security questions.” The credential either signs correctly against the issuer’s DID (Decentralised Identifier) or it doesn’t. There is no partial credit.
#Step 2: Automating Temporary Access Pass Issuance
Once the callback confirms a valid presentation, your backend calls the Microsoft Graph API to generate a TAP for that exact user object — scoped, time-limited, and single-use. This runs under an application permission (not a human’s delegated permission), removing the technician from the loop entirely.
1POST https://graph.microsoft.com/v1.0/users/{userId}/authentication/temporaryAccessPassMethods
2Content-Type: application/json
3Authorization: Bearer {app_token}
4
5{
6 "lifetimeInMinutes": 30,
7 "isUsableOnce": true
8}The response returns the pass itself, which your portal displays once, in a masked field, with a 30-minute countdown:
1{
2 "id": "5c7cba43-2ad1-4c56-b28a-...",
3 "temporaryAccessPass": "j8Qw-92xR!aZ",
4 "lifetimeInMinutes": 30,
5 "isUsableOnce": true,
6 "isUsable": true,
7 "createdDateTime": "2024-05-14T09:12:03Z"
8}The user enters that pass at the sign-in prompt exactly as they would a password, gets pushed straight into the MFA registration wizard, and re-enrols Authenticator on the new handset. From click to resolved: under four minutes, zero technician involvement, full audit trail in the sign-in logs.
#Step 3: The Self-Service Portal Logic Flow
Here is the orchestration logic in plain flow form — this is what your Power Automate flow, Azure Function, or Logic App should implement end to end:
1TRIGGER: User visits selfservice.kbytech.com/mfa-recovery
2
31. Portal generates Verified ID presentation request (Step 1 payload)
42. User scans QR with Authenticator wallet containing EmployeeCredential
53. Verifier service validates signature + checks revocation list
6 IF invalid OR revoked:
7 -> Route to L1 queue with "failed proofing" tag (rare, human review)
8 -> STOP
9 IF valid:
10 -> Extract userPrincipalName from verified claims
114. Call Graph API: create TAP for that userId (Step 2)
125. Log event to SIEM: {user, timestamp, method: "VerifiedID+TAP", technician: null}
136. Display TAP to user for 30 min, single use
147. User signs in with TAP -> forced MFA re-registration policy triggers
158. Ticket auto-closed in ServiceNow via API, category "Self-Service Resolved"Step 8 matters more than it looks. Even fully automated resolutions should still log a record — not for the technician to action, but for audit and volume reporting. You want to be able to show leadership “1,200 tickets resolved with zero technician minutes this quarter” in a dashboard, not just quietly disappear the queue.
#Step 4: Removing Standing Privilege from the Helpdesk Role
The second half of engineering this ticket out of existence is making sure a technician can no longer casually reset MFA even if they wanted to. Pull Authentication Administrator out of any standing role assignment and put it behind Privileged Identity Management (PIM), requiring justification and time-bound activation for the rare manual override case (failed proofing, no Verified ID credential issued yet, etc.).
1# Remove standing Authentication Administrator assignment
2Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
3
4$roleId = (Get-MgDirectoryRole -Filter "displayName eq 'Authentication Administrator'").Id
5$assignment = Get-MgDirectoryRoleMember -DirectoryRoleId $roleId | Where-Object { $_.Id -eq "" }
6
7Remove-MgDirectoryRoleMemberDirectoryObjectByRef -DirectoryRoleId $roleId -DirectoryObjectId $assignment.Id
8
9# Re-provision as eligible-only via PIM
10New-MgRoleManagementDirectoryRoleEligibilitySchedule -Action "AdminAssign" `
11 -PrincipalId "" `
12 -RoleDefinitionId $roleId `
13 -DirectoryScopeId "/" `
14 -ScheduleInfo @{ StartDateTime = (Get-Date); Expiration = @{ Type = "NoExpiration" } }Now a manual reset requires the technician to activate the role through PIM, which generates an approval request and a justification log entry — turning the rare exception into a fully auditable event instead of a daily rubber stamp.
#Edge Cases L1 Still Owns
Don’t over-promise zero human involvement on day one. Three scenarios still need a technician, and you should route them explicitly rather than let them fall through:
- New hires without an issued Verified ID credential yet. Route to onboarding automation, not MFA recovery — the fix is issuing the credential, not resetting MFA.
- Revoked or expired credentials (e.g., someone flagged in an HR offboarding sync). These should hard-fail to a human, by design — that’s the security control working correctly, not a bug.
- Users without a smartphone (shared-device warehouse staff, for example). These accounts should already be on FIDO2 hardware keys or number-matching push, not this flow, and belong in a separate playbook entirely.
#What to Measure
Track three numbers monthly: total MFA-recovery-tagged tickets, percentage resolved via the self-service path with zero technician minutes, and mean time-to-resolution for the residual manual cases. Most organisations that implement this see deflection rates above 85% within the first full quarter, and — more importantly for your security posture — the helpdesk stops being a viable social engineering target for this specific attack pattern, because there is no human left to social-engineer.
Advanced suggested reading
Ready to go deeper?
These articles come from KBY’s senior engineering editorial. Expect denser architecture, fewer introductory explanations and deeper production trade-offs.
Tech Fundamentals
Fixing UEFI Secure Boot Chain-of-Trust Failures
How PK, KEK, db, dbx, shim and MOK layers interact, and the mokutil, sbsign, and sbctl steps that repair a broken UEFI trust chain.
Enterprise IT Management
Detecting Toxic Access with Graph-Based SoD Engines
How graph databases and OPA policy-as-code detect cross-system segregation of duties conflicts before toxic access grants ever commit.
Enterprise IT Management
Break-Glass Access: When Your IdP Goes Dark
How Shamir quorum vaults, Conditional Access exclusions, and out-of-band alerting keep break-glass access usable when your IdP itself goes down.
Comments
Add a thoughtful note on A Passwordless Route Through New-Phone MFA Recovery. Comments are checked for spam and held for moderation before appearing.