AscendCore
Back to Runbook Library
Identity Live in production

MFA Re-enrollment

Automate Okta and Microsoft Entra ID MFA factor reset and re-enrollment from Slack and Teams, with approval-gated execution and audit-friendly logging.

Integrates with

OktaEntra ID

The problem

When a user loses their MFA device or needs to re-enroll a new authenticator, existing factors must be revoked and re-enrollment guided through a secure flow. Without automation, this requires multiple help desk touches plus out-of-band identity verification — often during business hours when the user can't access any of their tools. The user is locked out, the engineer context-switches, and the SLA breaches.

What AscendCore does

A user requests an MFA reset in Microsoft Teams or Slack. AscendCore proposes factor revocation and enrollment-link generation against the user's identity provider. An IT admin sees the user's currently-enrolled factors, approves with one click, and AscendCore revokes the existing factors and delivers a time-limited enrollment link to the user via DM.

Workflow

  1. Detect — user message in Teams or Slack ("reset my MFA" or /mfa-reset <email>)
  2. Classify — intent + target user resolved against the IDP
  3. Propose — admin approval card with currently-enrolled factors visible
  4. Approve — one-click human approval (always required)
  5. Execute — revoke push, SMS, TOTP, hardware-key factors at the IDP
  6. Generate — enrollment link with configurable TTL (default 30 minutes)
  7. Deliver — link sent via DM with onboarding instructions
  8. Audit — every action logged with approver identity, factor list, timestamp

Integrations

  • Okta — Factor lifecycle API for revocation and enrollment
  • Microsoft Entra ID — Authentication methods API
  • Slack + Microsoft Teams — DM delivery for the time-limited enrollment link

Status

Live in production. Used in real Okta and Microsoft Entra ID tenants today with verified end-to-end execution and audit trail.

Runbook source preview

Versioned, deterministic, auditable

Every runbook is defined as a versioned YAML manifest with explicit triggers, steps, and approval policies. The runbook itself is the audit-ready record of what AscendCore can and will do — chat is just the interface that triggers it.

name: mfa-reenrollment
trigger:
  channels: [slack, teams]
  intents: [mfa_reset]
steps:
  - revoke_factors:
      provider: ${user.idp}
      factor_types: [push, sms, totp]
  - enrollment_link:
      ttl_minutes: 30
      delivery: dm
approval:
  required: true
  approvers: [it-admins]
Ready to deploy

Run mfa re-enrollment from Teams or Slack today

AscendCore deploys in 48 hours for Slack + Okta or Teams + Entra stacks. See the first automated resolution the same day.

See plans & pricingBrowse all runbooks

More identity runbooks

Live

Access Role Change

Multi-system orchestrated role transitions for promotions, transfers, and contractor-to-FTE conversions. Five seed roles ship out of the box (support tiers, sales SDR/AE, engineering contractor/FTE/intern, HR generalist/manager); each transition produces a single approval card showing the full access diff and executes sequentially across Okta + Entra + Jira + M365 with per-step audit outcomes.

Read more
Live

Account Unlock

Automate Microsoft Entra ID and Okta account unlocks from Slack and Teams. Identity verification, approval-gated unlock, failed-login counter reset.

Read more
Live

Group Membership Management

Automate Microsoft Entra security group, M365 group, and distribution list membership changes from Slack and Teams. Name-resolved, approval-gated, idempotent.

Read more
AscendCore

AscendCore Team

Online · Ask us anything

AscendCore

Hi! Welcome to AscendCore. Ask us anything about how we automate your IT help desk — or just say hi.