MFA Setup for AD Password Reset(Catalog)

VB14
Tera Contributor

AD Domain Password Reset using MFA? there is company-wide policy in our project requiring end-users to undergo MFA for any password reset. Currently, in ServiceNow, we have flow automation in catalog items allowing users to request AD password resets for their IDs. However, adhering to the MFA policy poses a challenge.

While we are aware that MFA is a feature available in ServiceNow for end-users during login, with options to enable it for all SN Users, only for vendors, and specific roles, also with different authenticator tools, email & SMS options.  the important question arises: Is there a way to implement MFA selectively for certain sets of catalog requests, flows, or automation even when the user is already having service now session?  Is this even possible. & has anyone developed for handling similar scenario? or anyone has any technical idea on how this can be achieved.

 

There is additional follow-on question, Client has their own OKTA MFA & can the same be used instead of the SN MFA Page.

4 REPLIES 4

Luiz Lucena
Mega Sage

Hello @VB14 ,

In your ServiceNow instance, on your Password Reset process, make sure you add the verification option for "Authenticator", email and SMS can also be used, but they are less secure than Authenticator.
Each user will have to Enroll (there is a widget for that you can publish in your portal, if you use one).

Here is an example of our settings in the Password Reset process:
Screenshot 2024-01-10 093521.png

 

And the widget I mentioned where users must enroll in the Authenticator:
Screenshot 2024-01-10 094255.png

 

If you don't use a portal, you still can send the link to this enrollment page to your users. 
You can find this enrollment page under System UI > UI Pages.

For Okta question, it would be a separate process settings. 

For example, we use Azure AD for Single Sign-on (with its own MFA settings in Azure), then the Password Reset mentioned above with its own MFA only for Password reset in AD. 
We also have some users using Okta and the MFA for that is on Okta side.

 

Each MFA must be enabled and configured in the endpoint that will use it.

Let me know if that helps.

VB14
Tera Contributor

Hi Luiz,

 

Thanks for the reply. I am adding some more background information.

 

Background:

* In our environment we are having OKTA SSO for authentication.

* We have not installed ServiceNow MFA(widget screenshot you shared).

* We are not using ServiceNow App "Password Reset Application"

* User is already have a logged in Session in Servicenow using their primary UserID.

 

Requirement:

* User wants to reset their other domain's ID Password using Servicenow. They are already logged in Servicenow using their Primary ID.

* Custom catalog is created through which user enter UserID, select Domain and enter new Password.

* Catalog item is connected to flow & this internally have Microsoft orchestration actions to reset user password using a Service account.

* This flow is made such that user can request to reset any of their other domain User ID Password. and based on this different Service Accounts and different Domain AD servers are integrated.

* This is all working well, but now we need to add a step to include MFA. A additional Security layer before user is allowed to submit the request.

* Client plans to use their own OKTA MFA, so that it become seemless for the Client with their other apps using their own OKTA MFA.

* even if we want to use SN MFA, how can we integrate it with a custom catalog. or leverage any part or Servicenow Verification from Reset Password App.

 

I hope this explains the situation. 

 

VB14
Tera Contributor

@Luiz Lucena  - Any thoughts on the last message.

mgalvin
Tera Contributor

Did you get anywhere with this? I'm looking to do something similar: secure an individual catalog item with Microsoft Authenticator.