Can an MSP login to a user account on a PC that has MFA enabled?

My clients have PCs that are Azure AD joined and all the PCs have AuthPoint installed. So as an example, Mary has a login of mary@company.com with a password and after she enters her password, she must authenticate with AuthPoint then she can access her user account, desktop, files, etc.
Often, I need to log on to a user's PC to do service work to their specific user account. Attempting to sign into Mary's account will send her an MFA notification. User inheritance is great for when I need to sign into the server for example but what about when a service provider needs to access a specific user account?

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @TwinRiversTech
    Authpoint isn't specifically designed to allow you to access someone else's account.

    -If you are an admin, you can use the lost token function to disable MFA for a short period of time. You will need to know the user's password in order to do this.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/forgot_authenticator.html

    -You can generate an additional token and assign it to that user's account for the duration you're working with that user's account.

    Personally, I would simply suggest you have the user present while you are working with their account if possible, as that shields you from any accusations/liability that you did something/accessed something with their account.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.