Revoke Access and Disable should also reset MFA in addition to disabling the account and revoking all sessions | Voters

Revoke Access and Disable should also reset MFA in addition to disabling the account and revoking all sessions

Mark Curtin

Standard security practice is to do all 3, so having Huntress also reset MFA in addition to revoking all sessions and disabling the account would be helpful.

October 29, 2025

Martin Twerski

This should be a configurable setting since not everyone uses Microsoft for MFA

Bjørn Mathisen

Martin Twerski Huntress could just check this through the graph API before choosing to revoke MFA.

Jared Andrade

Martin Twerski Agreed that this would have to be configurable/optional. Forcing a reset of MFA prevents automatic remediation of any Microsoft Risk Alerts on the Entra side if one happens to be triggered at the same time as a Huntress ITDR incident. (https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-user-experience#risk-self-remediation). Granted, account reactivation and subsequent automatic risk remediation should only be allowed after audit logs are manually reviewed in Entra to confirm no known tampering with MFA methods, but forcibly resetting MFA isn't something I'd want ITDR to do by default.