Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
We have released the Authentication administrator and Privileged authentication administrator roles that can manage the authentication methods of the user. If you are using Azure AD Premium, consider enforcing MFA on the user using Conditional Access. We are continuing to work on other roles that will let you manage other MFA settings.
Kristof Kuderko commented
@Joe Croll the below script still works for us. It requires the "Authentication admin" role
#Connect to Msol
#Create the StrongAuthenticationRequirement object
$mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mf.RelyingParty = “*”
$mfa = @($mf)
$username = Read-Host -Prompt 'Input username - email format'
#Enable MFA for specific user
Set-MsolUser -UserPrincipalName $username -StrongAuthenticationRequirements $mfa
Joe Croll commented
The workaround for this lack of functionality was to have the non global admin user enable MFA per user in Powershell. But something recently changed and the non global admin no longer has permission to run the set-msoluser -StrongAuthenticationRequirements command.
#Set MFA Var's
$st = New-Object -TypeName
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
#Output Enabling MFA
Write-Host "Enabling MFA for" $MSOLUser.UserPrincipalName
#Set MFA to Enabled for user account
Set-MsolUser -UserPrincipalName $userID.UserPrincipalName -
Jesse Rice commented
I'm in a constant battle with my Security and compliance team because we have so many Global Admins. I'm not sure why only part of the MFA permissions were implemented and not others. I don't understand why the ability to force a reset is less of a security risk than allowing them to just Unblock a locked out MFA account.
Is there a status update when these roles / permissions will be adjusted to be more inline with each other and what the Community appears to except?
Jennifer Tichavsky commented
Kristof Kuderko commented
Authentication admin role allows to enable the MFA via powershell and re-register/revoke MFA sessions from the Azure panel but not from the main o365 admin panel. The options are greyed out and only available for Global admins. Why such nonsense?
Dmitrijs Granicins - Livewords commented
Privileged Auth Admin can Reset MFA and alter the factors within AzureAD Portal itself, but what about setting Enable\Disable\Enforce MFA status within the MFA Portal, accessible by clicking "Multi-Factor Authentication" button in Users view in AzureAD Portal? Which role is required for the latter?
Dalton Reeves commented
Yeah why does this need to fall on global admins to handle. iPhone season literally is awful.
Can you add a role or allow Privileged authentication administrator to register MFA Tokens.
Ion C. commented
It is very clear that Microsoft do not offer a solution for this option just because they want to push it through the Conditional Access, which involves more expensive licenses and more money spent by the companies.
It is very difficult to understand why this is not a thing!!! Why is this option not available in the user blade (admin.microsoft.com) with non-GlobalAdmin access and why FORCE administrators to go here https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx? to enable/disable/reset sessions....this needs to be sorted....99% of companies will not have Support Engineers with access to PowerShell.....
This is pretty poor that microsoft can't spend time of sorting this issue out, there needs to be a way to delegate permissions so other people that aren't GA can access the MFA icon within azure.
How is this not done? It's been 5 years. We need the ability to enable or disable MFA from this page without being a GA https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365
We had a new Domain Admin with the Global Administrator role. For this one new person the MFA access was greyed out. After assigning him the additional role of "Privileged authentication administrator" He was able to access all of the MFA setting for all users. Very odd that he had to be assigned this role on top of Global Administrator.
giving authentication or Privileged authentication administrator will not be able to enable or disable per user multi factor.
Ryan Dobson commented
I am doing a global admin audit on our org and one of the users has this so he can block/unblock MFA. otherwise he does not need global admin. Auth admin and priv auth admin don't grant these rights. Is there any time frame on this?
auth admin still can't enable/disable mfa, don't think the azure ad team understand what we want, shame
Oliver Zaupa commented
I work in service desk and I don't want to bother our admins every time a user needs an MFA reset. Absolutely needed.
Rowan Kendall - SA commented
My GA has given me Authentication admin, still can't enable/disable MFA on accounts. Get it together MS
You also can't find the way to off it...
I saw the setting is disable, but it still need authenticator, wtf?
Agree, This function is sh!t and annoying for user!!!