Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
We have released the Authentication administrator and Privileged authentication administrator roles that can manage the authentication methods of the user. If you are using Azure AD Premium, consider enforcing MFA on the user using Conditional Access. We are continuing to work on other roles that will let you manage other MFA settings.
But can these new roles block/unblock users' MFA? Thanks.
We need this asap!
Shrikant Sharma commented
For managing MFA related issues, such as reviewing the logs to understand any MFA related issues, Unblocking user from MFA, etc should be made available via a separate Role vs needing a Global Admin
Bill Gates told me to tell you that this should have been fixed in 2017. He's pretty upset. You might want to get the ball rolling.
I have had an admin that has stolen money. So how do I get out of that admins possession. I am denied an email and I am not allowed a private conversation or to drive my own $40,000.00 car. I do not think this is an off the wall question. I need help in getting out of Azure but I have asked over and over with no follow through from you. Can you please help me get out of Azure. This has been a very unhealthy situation for me. I need help
Wayne Day commented
So this feature has been on the roadmap for over 2 years? This is a no brainer! We need a user admin role to Enable/Enforce/Disable MFA without being a global admin.
I believe you can enforce MFA using Conditional Access policies and assigning them to your AD groups. This way your User admins can just add people to the groups to apply MFA to their accounts without the need for global admin role.
Enabling MFA directly (which needs global admin role) on a user account overrides any Conditional Access policies.
In our company, HR Team manages users and their access. They are not tech savvy to write powershell scripts. Unless we enable global admin permissions for these guys, they are unable to enable MFA. We gave Authentication administrator role but it is not working. Could you please let us know if there is any other role available to give them permissions to enable MFA for non-admin users?
Ed McKinzie commented
We opened a case on this and we received the following instructions that allow non-Global Admin accounts to disable\enable MFA using PowerShell as long as they are members of the Authentication and Privilege Authention RBAC roles.
From the MS Engineer:
"I could not find the required permissions documented and, apparently, Graph API does not support MFA configuration. However, while doing some tests, I came to the conclusion that the Authentication Admin and the Privilege Authentication Admin can enable/disable MFA via PowerShell. Please check the available documentation to enable/disable MFA using PowerShell and the MSOnline module:
#Enable MFA for specific user
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements $sta
#Disable MFA for specific user
Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements @()
Hope this helps others that had similar issues. There are requests in to the product group to get this feature allowed in the Azure WEB UI.
you only require a user with Exchange Admin rights and a powershell script to enable/disable MFA
or at minimum privileged authentication admin
Xu, Andy commented
We do need User Admin role own the rights to enable/disable MFA for users.
Rich Raynes commented
Allow the User Admin role to Enable/Disable MFA for users.
Your link describes how to reset MFA passwords not disable or enable. Also on that page, if you had to delete MFA passwords to resolve an issue "Global administrator permissions are required to perform this action."
Dennis Aanen commented
This is available now, see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
A new role Authentication Administrators has been created.
Javier Ornelas commented
My goodness, this needs to be corrected. We have a person that is fairly new to IT and we would like her to setup accounts and MFA. As others have said, I don't want her to only go so far and then the global admins have to setup MFA. That does not make sense.
After 2 years, I'm not very hopeful that this is going to be changed.
My God, this needs to be resolved as soon as possible, it is very complicated to work like this.
Planned since 2017... still not implemented. How can I justify my helpdesk staff having global rights to administer MFA and inversely I do not want to be lumbered with setting this up for every new member of staff.
What I also don't understand is the 'Authentication Admin' roles info even says it can administer MFA... which it can't.
Please sort this out asap
Hi tried now but even if the user was user admin (also auth admn) it didn't work
Rich Raynes commented
Can they Enable/Disable?
Rakesh Vijayan commented
User administrator role can revoke/reset MFA now
Microsoft please solve this and make is easier so an Helpdesk Admin can Enable MFA for Users, We cannot give Globle admin rights for just enabling MFA