How can we improve Azure Active Directory?

Allow the User Admin role to Enable/Disable MFA for users

Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.

781 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Ben Virkler shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

163 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    This role also needs the ability to enable/disable MFA for users, through the MFA page

  • Eric Periard commented  ·   ·  Flag as inappropriate

    I use PowerShell to enable and enforce MFA with Auth Admin access, works fine.

    I have attached a sample scripts.

    You need to install the following modules: AzureAD and MSOnline.

    G'day!

  • MikeN commented  ·   ·  Flag as inappropriate

    It would be good for the Azure AD team to provide an official update on this. Some users are stating that "Authentication Administrator" works, others say it does not.

  • Michael commented  ·   ·  Flag as inappropriate

    Just tried using the portal as "Authentication Administrator" and reset MFA for a users, it worked.

  • Albert Martinez commented  ·   ·  Flag as inappropriate

    Didn't work for me. Only works with a "Global Admin" user.

    Adding the role "Authentication Administrator" from AzureAD GUI or PowerShell doesn't work in a user with the "User Administrator" role.

    The PS script worked, but it's just a workaround and don't know why this simple Role (which is active and can be applied) doesn't work.

    Working script: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#use-powershell

  • Nahuel commented  ·   ·  Flag as inappropriate

    From Powershell:
    1 - Assign "Authentication Administrator for those you need:

    -Role ==> https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#authentication-administrator

    -Assign Role ==> https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-manage-roles-portal

    2 - Connect to Azure from powershell using the credential of your service desk:

    - Install Azure modules for powershell: https://blogs.technet.microsoft.com/solutions_advisory_board/2017/04/27/connect-to-office-365-services-with-multifactor-authentication-mfa-and-powershell/

    3 - From powershell

    Connect-AzureAD
    Connect-MsolService
    $user = Read-Host -Promt "UPN to reset the MFA"
    $user_get = Get-MsolUser -UserPrincipalName $user
    $user_get.StrongAuthenticationMethods
    Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user

  • Michael commented  ·   ·  Flag as inappropriate

    Only place online related... Can ANYONE tell me why "+ New Policy" would be greyed out for a Global Admin, when trying to setup this exact policy?

  • leon commented  ·   ·  Flag as inappropriate

    its still not fixed , a PFE told to enable Auth Admin role that also does not work

  • Cambo commented  ·   ·  Flag as inappropriate

    This is absolutely absurd. How can something like this be on the "Roadmap" for 2 years? It's a simple request- take one of your existing "User Admin" roles, and give it the ability to enable or disable MFA- not just "Clear" and "Revoke"; that is only half of the problem.

  • Anonymous commented  ·   ·  Flag as inappropriate

    "Anonymous commented · February 4, 2019 7:03 PM · Flag as inappropriate
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#use-powershell

    Use the steps detailed using Powershell.

    Global Admin perms are not needed. But you have to be a User Management Admin."

    I can confirm this works - non global administrator can enable/disable/enforce MFA for users via Powershell, though no option to through GUI and access denied via URL to MFA site.

    Come on MS - can't be that hard to implement the change to allow a different admin group...

  • bthai commented  ·   ·  Flag as inappropriate

    @J. Por - our Helpdesk team has the "User Administrator" role and the PowerShell method is working for them. At the moment, not everyone knows about the PowerShell workaround and to my knowledge, this workaround is not publicly published by Microsoft. Hopefully this tip helps all the other frustrated Azure admins in the world. I know we were jumping for joy when we accidently discovered this well kept secret 6 months ago.

  • J. Por commented  ·   ·  Flag as inappropriate

    @bthai If you can Enable/Disable MFA for a user via PowerShell without thats news to me, and it must not use the Authentication Admin Role or the User Admin Role, so which Role is it @bthai ?

  • bthai commented  ·   ·  Flag as inappropriate

    For those who haven't figured it out by now-- you can Enable/Disable MFA for users by using PowerShell (NO Global Admin role needed, I repeat, NO Global Admin role needed)

  • Alfredo Ramos commented  ·   ·  Flag as inappropriate

    Managing MFA settings for users under AAD>Security>MFA should also fit the scope of an Authentication Administrator role. There needs to be another role(s) besides Global Admin access that allows this changes.

  • Tom Atkinson commented  ·   ·  Flag as inappropriate

    The Authentication Administrator role seems to be very limited in scope. You can require that users re-validate, but you can't enable or disable MFA for a user. This solution does not meet our organization's expectations or needs. More simply stated, it does it address the title of Ben Virkler's feedback thread from October 5, 2015: "Allow the User Admin role to Enable/Disable MFA for users"

  • Ludovic Bernard commented  ·   ·  Flag as inappropriate

    No, we tried it, the User Admin with the Authentication Role cannot activate MFA for standard user... A User Admin still needs to be Global Admin to do that ....non sense ...

← Previous 1 3 4 5 8 9

Feedback and Knowledge Base