Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
We have released the Authentication administrator and Privileged authentication administrator roles that can manage the authentication methods of the user. If you are using Azure AD Premium, consider enforcing MFA on the user using Conditional Access. We are continuing to work on other roles that will let you manage other MFA settings.
Oliver Zaupa commented
I work in service desk and I don't want to bother our admins every time a user needs an MFA reset. Absolutely needed.
Rowan Kendall - SA commented
My GA has given me Authentication admin, still can't enable/disable MFA on accounts. Get it together MS
You also can't find the way to off it...
I saw the setting is disable, but it still need authenticator, wtf?
Agree, This function is sh!t and annoying for user!!!
Anonymously Frustrated commented
Oh come on, another basic function the service doesn't have. I'm not making all my helpdesk ops guys GA's in Azure.
and adding users to those 2 groups does NOT allow them to view mfa status
please add this basic functionality yesterday.
I have these roles and still can't Enable/Disable MFA for a user
Allan Warner commented
I have just had a admin get around this issue by using powershell. I am guessing its a bug in the UI, that just disables access to the MFA page/s.
His roles were...
Service support administrator
Skype for Business administrator
Teams Communications Administrator
Teams Communications Support Engineer
Teams Communications Support Specialist
Teams Service Administrator
Not sure why this works, but the portal doesn't... Is it just a portal bug?
This is the script they used.
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
# Change the following UserPrincipalName to the user you wish to change state
Set-MsolUser -UserPrincipalName email@example.com -StrongAuthenticationRequirements $sta
Taken from the MS page
Hashokmi Pheirim commented
Global Admin cannot be given just for administrating MFA. This also goes against the security compliance controls for some organization where Global admin access is limited only to limited set of users and not to the entire IT helpdesk team.
After 3 years they copy/paste the same update? How about addressing the request from nearly 5 years ago? Just had a user dead in the water for hours because my team has every single role BUT Global Admin, and therefore could not disable MFA. Ridiculous.
Yves Gut commented
Hello everybody. After assigning the Role "Privileged authentication administrator" to our Helpdesk employees, they were able to require the Re-registering or revoking MFA sessions.
But we really need a way for the helpdesk to -enable or disable- MFA on AAD Users.
We hope that this can be implemented quickly.
+1 for allowing User Administrators the ability to unblock those who have reported fraud alerts and so been blocked. Only granting this ability to Global Administrators doesn't really fit a model where user administration is undertaken by a service desk.
johnny nazzal commented
Troy Ridgley commented
The Authentication administrator and Privileged authentication administrator roles have NOTHING to do with this issue. Not sure why Microsoft is posting this as something planned. We have services desk folks in these roles and they do not have the permissions to unblock users.
Pete Lill commented
Authentication admin and Priv auth admin don't have ability to issue OATH tokens - which we are using for situations an employee is not legally allowed to enter a gov facility with mobile device. So I have 100+ service desk people added as Global Admins, hopefully none of them decide to delete my entire tenant or something.
A limited role that allows 1st level & field support teams the ability to reset MFA (nothing more) would be extremely helpful.
Many times, field support teams need to have an MFA reset (require selected users to provide contact methods again & restore multi-factor authentication on all remembered devices) on the spot to assist end users at that point in time. These field support teams are forced to submit a ticket to 1st level support who in turn sends it to the O365 Admins to take action. 1st level support needs MFA reset to assist end user...they send ticket to O365 Admins to reset MFA and then the ticket is sent back to 1st level to contact the client to complete the request. Could be much more efficient allowing MFA resets at those 2 levels...no other bells and whistles.
It does not make sense to grant Global admin role to service desk to unblocking a user (under Azure AD -> Security -> MFA -> Unblock user).
Apart from it, There is no API to expose this functionality so we have to use UI and it requires the most powerful role in office 365. It does not make sense at all.
Johnny Levring commented
Come on Microsoft! Are you serious? I need to grant my entire IT Support team (25+ members) Global Admin role, just to go to the Block/unblock MFA users - come on!
But can these new roles block/unblock users' MFA? Thanks.