Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
This role also needs the ability to enable/disable MFA for users, through the MFA page
Eric Periard commented
I use PowerShell to enable and enforce MFA with Auth Admin access, works fine.
I have attached a sample scripts.
You need to install the following modules: AzureAD and MSOnline.
Mohamed Sbaa commented
1. Add the user to the role "Authentication Administrator".
2. Go to https://aad.portal.azure.com
3. Go to Users & select the concerned user.
4. In the left pane you will find "Authentication methods". Select that and you will be able to have the option to reset MFA or change the contact details.
It would be good for the Azure AD team to provide an official update on this. Some users are stating that "Authentication Administrator" works, others say it does not.
Just tried using the portal as "Authentication Administrator" and reset MFA for a users, it worked.
Albert Martinez commented
Didn't work for me. Only works with a "Global Admin" user.
Adding the role "Authentication Administrator" from AzureAD GUI or PowerShell doesn't work in a user with the "User Administrator" role.
The PS script worked, but it's just a workaround and don't know why this simple Role (which is active and can be applied) doesn't work.
1 - Assign "Authentication Administrator for those you need:
2 - Connect to Azure from powershell using the credential of your service desk:
- Install Azure modules for powershell: https://blogs.technet.microsoft.com/solutions_advisory_board/2017/04/27/connect-to-office-365-services-with-multifactor-authentication-mfa-and-powershell/
3 - From powershell
$user = Read-Host -Promt "UPN to reset the MFA"
$user_get = Get-MsolUser -UserPrincipalName $user
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user
Only place online related... Can ANYONE tell me why "+ New Policy" would be greyed out for a Global Admin, when trying to setup this exact policy?
its still not fixed , a PFE told to enable Auth Admin role that also does not work
still in roadmap ?
This is absolutely absurd. How can something like this be on the "Roadmap" for 2 years? It's a simple request- take one of your existing "User Admin" roles, and give it the ability to enable or disable MFA- not just "Clear" and "Revoke"; that is only half of the problem.
"Anonymous commented · February 4, 2019 7:03 PM · Flag as inappropriate
Use the steps detailed using Powershell.
Global Admin perms are not needed. But you have to be a User Management Admin."
I can confirm this works - non global administrator can enable/disable/enforce MFA for users via Powershell, though no option to through GUI and access denied via URL to MFA site.
Come on MS - can't be that hard to implement the change to allow a different admin group...
@J. Por - our Helpdesk team has the "User Administrator" role and the PowerShell method is working for them. At the moment, not everyone knows about the PowerShell workaround and to my knowledge, this workaround is not publicly published by Microsoft. Hopefully this tip helps all the other frustrated Azure admins in the world. I know we were jumping for joy when we accidently discovered this well kept secret 6 months ago.
Chetan Rao commented
When wud this new feature come in. Is there a timeline for it.
J. Por commented
@bthai If you can Enable/Disable MFA for a user via PowerShell without thats news to me, and it must not use the Authentication Admin Role or the User Admin Role, so which Role is it @bthai ?
For those who haven't figured it out by now-- you can Enable/Disable MFA for users by using PowerShell (NO Global Admin role needed, I repeat, NO Global Admin role needed)
Sean S. commented
Alfredo Ramos commented
Managing MFA settings for users under AAD>Security>MFA should also fit the scope of an Authentication Administrator role. There needs to be another role(s) besides Global Admin access that allows this changes.
Tom Atkinson commented
The Authentication Administrator role seems to be very limited in scope. You can require that users re-validate, but you can't enable or disable MFA for a user. This solution does not meet our organization's expectations or needs. More simply stated, it does it address the title of Ben Virkler's feedback thread from October 5, 2015: "Allow the User Admin role to Enable/Disable MFA for users"
Ludovic Bernard commented
No, we tried it, the User Admin with the Authentication Role cannot activate MFA for standard user... A User Admin still needs to be Global Admin to do that ....non sense ...