-
Bug
-
Resolution: Fixed
-
Highest
-
15
-
Severity 3 - Minor
-
Summary
Organization Admins cannot review or disable the 2-Step Verification on Managed User in their Organization
When the Organization Admin views the Managed User's Details, the security section shows: "Two-step verification NOT ENABLED"
Despite the User having 2SV configured and enabled on their account
Steps to Reproduce
- A managed User enabled 2SV on their Atlassian account (either individually or enforced by an Organization's Authentication Policy)
- End Users loses phone and Recovery Code
- Managed User's Profile shows "Two-Step Verification NOT ENABLED"
- Organization Admins would need to move the User to a Non-2SV Enforced Policy
- User is still prompted for the 2SV challenge
Expected Results
When an Organization Admin views a Managed User's Details, as documented there should be an option to:
Disable two-step verification so the User/Member can reset two-step verification and log in
Notes
If a User is a Member of a 2SV-Enforced Authentication Policy and they have 2SV Enabled, the User Details Security section will show "Two-step verification ENABLED" and when they're moved into a 2SV Optional Policy, it will then show "NOT ENABLED" despite no end user changes or removal of the 2SV configuration by the Organization Admin
Workaround
For admins that need to review who has 2-Step Verification Enable on their Managed Users, Export Managed Accounts from the Organization and this will show accounts with 2SV enabled
If an Managed User cannot login and needs to replace their Phone/MFA Device, an Organization Admin can manipulate admin.atlassian.com, by calling the following endpoint using the browser's developer console:
fetch('https://admin.atlassian.com/gateway/api/adminhub/organization/<ORGANIZATION-ID>/members/<ATLASSIAN ACCOUNT ID>/mfa', { method: 'DELETE', credentials: 'same-origin', headers: {'Content-Type': 'application/json' } } ).then(console.log)
The Organization ID and Atlassian account ID sections of the Endpoint can be found in the URL when viewing the User's Details in Managed Account.
- is related to
-
-
- Closed
-
[ACCESS-1209] Organization Admins Cannot Review or Disable 2-Step Verification on Managed Users
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Needs Triage [ 10030 ] | New: Closed [ 6 ] |
| Support reference count | Original: 14 | New: 15 |
| Assignee | New: Dilip Venkatesh [ fc3d1a9c953a ] |
| Priority | Original: Low [ 4 ] | New: Highest [ 1 ] |
| Support reference count | Original: 7 | New: 14 |
| Description |
Original:
h3. Summary
Organization Admins cannot review or disable the 2-Step Verification on Managed User in their Organization When the Organization Admin views the Managed User's Details, the security section shows: "Two-step verification NOT ENABLED" Despite the User having 2SV configured and enabled on their account h3. Steps to Reproduce # A managed User enabled 2SV on their Atlassian account (either individually or enforced by an Organization's Authentication Policy) # End Users loses phone # Managed User's Profile shows "Two-Step Verification NOT ENABLED" #* Organization Admins would need to move the User to a Non-2SV Enforced Policy # User is still prompted for the 2SV challenge h3. Expected Results When an Organization Admin views a Managed User's Details, as documented there should be an option to: {quote}*Disable two-step verification* so the User/Member can reset two-step verification and log in{quote} https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/#Troubleshoot-two-step-verification-with-authentication-policies h3. Notes If a User is a Member of a 2SV-Enforced Authentication Policy and they have 2SV Enabled, the User Details Security section will show "Two-step verification ENABLED" and when they're moved into a 2SV Optional Policy, it will then show "NOT ENABLED" despite no end user changes or removal of the 2SV configuration by the Organization Admin h3.Workaround For admins that need to review who has 2-Step Verification Enable on their Managed Users, [Export Managed Accounts|https://support.atlassian.com/organization-administration/docs/export-managed-accounts/] from the Organization and this will show accounts with 2SV enabled If an Managed User cannot login and needs to replace their Phone/MFA Device, an Organization Admin can manipulate admin.atlassian.com, by calling the following endpoint using the browser's developer console: {code} fetch('https://admin.atlassian.com/gateway/api/adminhub/organization/<ORGANIZATION-ID>/members/<ATLASSIAN ACCOUNT ID>/mfa', { method: 'DELETE', credentials: 'same-origin', headers: {'Content-Type': 'application/json' } } ).then(console.log) {code} The Organization ID and Atlassian account ID sections of the Endpoint can be found in the URL when viewing the User's Details in Managed Account. !ConsoleRemove2SV.png|thumbnail! |
New:
h3. Summary
Organization Admins cannot review or disable the 2-Step Verification on Managed User in their Organization When the Organization Admin views the Managed User's Details, the security section shows: "Two-step verification NOT ENABLED" Despite the User having 2SV configured and enabled on their account h3. Steps to Reproduce # A managed User enabled 2SV on their Atlassian account (either individually or enforced by an Organization's Authentication Policy) # End Users loses phone and Recovery Code # Managed User's Profile shows "Two-Step Verification NOT ENABLED" #* Organization Admins would need to move the User to a Non-2SV Enforced Policy # User is still prompted for the 2SV challenge h3. Expected Results When an Organization Admin views a Managed User's Details, as documented there should be an option to: {quote}*Disable two-step verification* so the User/Member can reset two-step verification and log in{quote} https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/#Troubleshoot-two-step-verification-with-authentication-policies h3. Notes If a User is a Member of a 2SV-Enforced Authentication Policy and they have 2SV Enabled, the User Details Security section will show "Two-step verification ENABLED" and when they're moved into a 2SV Optional Policy, it will then show "NOT ENABLED" despite no end user changes or removal of the 2SV configuration by the Organization Admin h3.Workaround For admins that need to review who has 2-Step Verification Enable on their Managed Users, [Export Managed Accounts|https://support.atlassian.com/organization-administration/docs/export-managed-accounts/] from the Organization and this will show accounts with 2SV enabled If an Managed User cannot login and needs to replace their Phone/MFA Device, an Organization Admin can manipulate admin.atlassian.com, by calling the following endpoint using the browser's developer console: {code} fetch('https://admin.atlassian.com/gateway/api/adminhub/organization/<ORGANIZATION-ID>/members/<ATLASSIAN ACCOUNT ID>/mfa', { method: 'DELETE', credentials: 'same-origin', headers: {'Content-Type': 'application/json' } } ).then(console.log) {code} The Organization ID and Atlassian account ID sections of the Endpoint can be found in the URL when viewing the User's Details in Managed Account. !ConsoleRemove2SV.png|thumbnail! |
| Support reference count | New: 7 |
| Labels | Original: HOT-98142 | New: HOT-98142 ondemand-support-workaround |
| Summary | Original: Organization Admins Cannot Disable 2-Step Verification on Managed Users | New: Organization Admins Cannot Review or Disable 2-Step Verification on Managed Users |
| Description |
Original:
h3. Summary
Organization Admins cannot disable the 2-Step Verification on Managed User in their Organization When the Organization Admin views the Managed User's Details, the security section shows: "Two-step verification NOT ENABLED" Despite the User having 2SV configured and enabled on their account h3. Steps to Reproduce # A managed User enabled 2SV on their Atlassian account (either individually or enforced by an Organization's Authentication Policy) # End Users loses phone # Managed User's Profile shows "Two-Step Verification NOT ENABLED" #* Organization Admins would need to move the User to a Non-2SV Enforced Policy # User is still prompted for the 2SV challenge h3. Expected Results When an Organization Admin views a Managed User's Details, as documented there should be an option to: {quote}*Disable two-step verification* so the User/Member can reset two-step verification and log in{quote} https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/#Troubleshoot-two-step-verification-with-authentication-policies h3. Notes If a User is a Member of a 2SV-Enforced Authentication Policy and they have 2SV Enabled, the User Details Security section will show "Two-step verification ENABLED" and when they're moved into a 2SV Optional Policy, it will then show "NOT ENABLED" despite no end user changes or removal of the 2SV configuration by the Organization Admin h3.Workaround For admins that need to review who has 2-Step Verification Enable on their Managed Users, [Export Managed Accounts|https://support.atlassian.com/organization-administration/docs/export-managed-accounts/] from the Organization and this will show accounts with 2SV enabled If an Managed User cannot login and needs to replace their Phone/MFA Device, an Organization Admin can manipulate admin.atlassian.com, by calling the following endpoint using the browser's developer console: {code} fetch('https://admin.atlassian.com/gateway/api/adminhub/organization/<ORGANIZATION-ID>/members/<ATLASSIAN ACCOUNT ID>/mfa', { method: 'DELETE', credentials: 'same-origin', headers: {'Content-Type': 'application/json' } } ).then(console.log) {code} The Organization ID and Atlassian account ID sections of the Endpoint can be found in the URL when viewing the User's Details in Managed Account. !ConsoleRemove2SV.png|thumbnail! |
New:
h3. Summary
Organization Admins cannot review or disable the 2-Step Verification on Managed User in their Organization When the Organization Admin views the Managed User's Details, the security section shows: "Two-step verification NOT ENABLED" Despite the User having 2SV configured and enabled on their account h3. Steps to Reproduce # A managed User enabled 2SV on their Atlassian account (either individually or enforced by an Organization's Authentication Policy) # End Users loses phone # Managed User's Profile shows "Two-Step Verification NOT ENABLED" #* Organization Admins would need to move the User to a Non-2SV Enforced Policy # User is still prompted for the 2SV challenge h3. Expected Results When an Organization Admin views a Managed User's Details, as documented there should be an option to: {quote}*Disable two-step verification* so the User/Member can reset two-step verification and log in{quote} https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/#Troubleshoot-two-step-verification-with-authentication-policies h3. Notes If a User is a Member of a 2SV-Enforced Authentication Policy and they have 2SV Enabled, the User Details Security section will show "Two-step verification ENABLED" and when they're moved into a 2SV Optional Policy, it will then show "NOT ENABLED" despite no end user changes or removal of the 2SV configuration by the Organization Admin h3.Workaround For admins that need to review who has 2-Step Verification Enable on their Managed Users, [Export Managed Accounts|https://support.atlassian.com/organization-administration/docs/export-managed-accounts/] from the Organization and this will show accounts with 2SV enabled If an Managed User cannot login and needs to replace their Phone/MFA Device, an Organization Admin can manipulate admin.atlassian.com, by calling the following endpoint using the browser's developer console: {code} fetch('https://admin.atlassian.com/gateway/api/adminhub/organization/<ORGANIZATION-ID>/members/<ATLASSIAN ACCOUNT ID>/mfa', { method: 'DELETE', credentials: 'same-origin', headers: {'Content-Type': 'application/json' } } ).then(console.log) {code} The Organization ID and Atlassian account ID sections of the Endpoint can be found in the URL when viewing the User's Details in Managed Account. !ConsoleRemove2SV.png|thumbnail! |