Skip to main content
For sensitive operations — password resets, admin account creation, permission changes — the agent can require the requesting employee to verify their identity via multi-factor authentication before executing. This ensures the person asking for a sensitive action is actually who they say they are, not just anyone who got their hands on the originating ticket, call, or chat.

How it works

When the agent determines that a requested operation is sensitive, it pauses execution and initiates an identity verification challenge with the employee’s MFA provider. The employee must approve a push notification on their authenticator app before the agent proceeds.
1

Agent detects a sensitive operation

As the agent builds its plan, it identifies that one or more steps require elevated assurance — for example, resetting a Microsoft 365 password or creating a new admin account.
2

Agent initiates verification

The agent calls the identity verification service, which sends a push notification to the employee’s authenticator app (Microsoft Authenticator or Duo Mobile, depending on your configuration). The agent tells the employee on the source ticket, call, or chat that they will receive a verification push and should approve it.
3

Employee approves the push notification

The employee opens their authenticator app and approves the push notification. This confirms their identity.
4

Agent receives the result

The backend monitors the verification result automatically — either by polling the provider or receiving a webhook callback, depending on the provider. The agent does not need to ask the employee anything further.
5

Agent proceeds or stops

If the employee approved the push:
  • The agent proceeds with the sensitive operation and confirms completion on the source ticket, call, or chat.
If the employee denied the push or the verification timed out:
  • The agent reports the failure on the source ticket, call, or chat and does not execute the action. The employee can resubmit their request if they want to try again.

Supported providers

When your Microsoft 365 integration is connected, the agent triggers MFA through the user’s registered method — typically a push to Microsoft Authenticator, but it falls through to whatever the user has configured.
  • The employee receives a standard Microsoft Authenticator push, identical to the ones they already use for Microsoft 365 sign-ins.
  • The result is resolved automatically through Microsoft Graph — no action required from your technicians.

Configuration

Identity verification does not require any configuration beyond connecting your MFA integration. Once Microsoft 365, Duo, or Traceless is connected, the agent automatically triggers identity verification whenever it determines an operation is sensitive.
Credential resets, admin privilege changes, and permission grants always trigger identity verification. The agent classifies the request automatically — you don’t define which operations qualify.

What happens when verification fails

The agent immediately stops. It reports the denial on the source ticket, call, or chat and does not execute the action. The employee can resubmit their original request if they want to try again.
If the employee does not respond to the push notification within the provider’s timeout window (up to 3 minutes for Microsoft 365; up to 5 minutes for Traceless; Duo uses its own configured timeout), the verification expires. The agent reports the timeout on the source ticket, call, or chat and does not execute the action.
If the employee has no MFA device enrolled with the connected provider, the push cannot be delivered. The agent reports that verification could not be completed and escalates the request to your technicians for manual handling.
If verification fails or times out, the agent never executes the sensitive operation — regardless of other approvals that may already be in place. A fresh verification is required for each new attempt.