Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
This is already done - i have given service desk rights to change MFA rights for users
Zuiderduin, Mike commented
With "Authentication Administrator" i can change the MFA number. I cannot see the old number. But for the Servicedesk that is not required.
Just as a heads up. Requiring Global Admin so Help Desk users can unblock (not just enable/disable) MFA for non privileged users causes a situation where Azure Active Directory does NOT meet the HITRUST Least Privileged requirements...so this can cause your organization to fail a HITRUST audit.
This MUST be fixed.
Cheryl Ross commented
Is there a roadmap id for this User Admin Role work item?
Christopher Goff commented
How is this not a thing yet? Global admin should NOT be required for my helpdesk admins to unblock MFA.
without prejudice commented
Assigning a Helpdesk staff member "Authenication administrator" and "User Administrator" rights in Azure Active Directory admin center does not allow the Helpdesk staff member to Enable or Disable MFA.
It does appear to allow the Helpdesk staff member to "Require re-register MFA" and "Revoke MFA Sessions" and change "Authentication Contact Info" in Azure which is helpful once the user is setup.
This still means however that a Global Admin has to get involved in the creation of every new user to enable MFA or the Global Admin role needs to be given to Helpdesk which is extremely undesirable.
Please could you raise the priority on this request?
@magnus But I still cant ENABLE MFA for a User...
As some other users have pointet out, this feature is live, go to Azure AD and assign your MFA admin the "Authentication Administrator" role.
The last update was on Nov 30, 2017. Is it still in roadmap?
Wow. I can't believe this has been complained about for over two years and all Microsoft can say is 'It's on the Roadmap'. Way to provide for your customer's needs!
Can we get someone looking at this issue at least? over 60000 users and three Global Admins. I have better things to do than do the job of my Helpdesk staff.
Please provide delegate access for MFA
Workaround - Grant to the Helpdesk Authentication Administrator permissions via the Azure AD. Then try to restore MFA via the Azure portal and not O365. https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers
It is working fine.
Please provide delegate access for MFA
We need a solution for service desk to disable mfa without losing registered methods of authentication. so they can work on the users account or laptop. Then the ability to turn it back on. all this without being a Enterprise Admin. I cant even get the bypass to work. I have made the service desk people Privileged authentication administrator.
This role also needs the ability to enable/disable MFA for users, through the MFA page
Eric Periard commented
I use PowerShell to enable and enforce MFA with Auth Admin access, works fine.
I have attached a sample scripts.
You need to install the following modules: AzureAD and MSOnline.
Mohamed Sbaa commented
1. Add the user to the role "Authentication Administrator".
2. Go to https://aad.portal.azure.com
3. Go to Users & select the concerned user.
4. In the left pane you will find "Authentication methods". Select that and you will be able to have the option to reset MFA or change the contact details.
It would be good for the Azure AD team to provide an official update on this. Some users are stating that "Authentication Administrator" works, others say it does not.
Just tried using the portal as "Authentication Administrator" and reset MFA for a users, it worked.
Albert Martinez commented
Didn't work for me. Only works with a "Global Admin" user.
Adding the role "Authentication Administrator" from AzureAD GUI or PowerShell doesn't work in a user with the "User Administrator" role.
The PS script worked, but it's just a workaround and don't know why this simple Role (which is active and can be applied) doesn't work.