Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-692

Org admins cannot disable 2FA for a provisioned user

XMLWordPrintable

      Issue Summary

      Org admins can't remove the 2FA for managed accounts when the user provisioning integration is on. The following message is displayed on the user's profile at the Org:

      Two-step verification
      Go to your identity provider settings to manage how users log in with a second step.

      Environment

      An Organization with user provisioning only and not SAML.

      Steps to Reproduce

      1. A regular user enables Atlassian 2FA on their account
      2. The org admin enables user provisioning, including the user above
      3. The user (now managed entirely by the IDP) loses their phone

      Expected Results

      The org admin should be able to disable 2FA for that user, since it's still enabled in Atlassian

      Actual Results

      Because the user is completely managed by the IDP, the message

      Go to your identity provider settings to manage how users log in with a second step

      is shown instead. However, 2FA is enabled in Atlassian, and not in the IDP

      Workaround

      The org admin can manipulate admin.atlassian.com, calling the endpoint using the browser's developer console:

      fetch('https://admin.atlassian.com/gateway/api/adminhub/organization/<org-id>/members/<AAid of the affected user>/mfa', 
	{ 
		method: 'DELETE', 
		credentials: 'same-origin', 
		headers: {'Content-Type': 'application/json' }  
	}
).then(console.log)

              fc3d1a9c953a Dilip Venkatesh
              clionte Claudiu Lionte (Inactive)
              Affected customers:
              8 This affects my team
              Watchers:
              19 Start watching this issue

                Created:
                Updated:
                Resolved: