Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
Ed McKinzie commented
We opened a case on this and we received the following instructions that allow non-Global Admin accounts to disable\enable MFA using PowerShell as long as they are members of the Authentication and Privilege Authention RBAC roles.
From the MS Engineer:
"I could not find the required permissions documented and, apparently, Graph API does not support MFA configuration. However, while doing some tests, I came to the conclusion that the Authentication Admin and the Privilege Authentication Admin can enable/disable MFA via PowerShell. Please check the available documentation to enable/disable MFA using PowerShell and the MSOnline module:
#Enable MFA for specific user
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements $sta
#Disable MFA for specific user
Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements @()
Hope this helps others that had similar issues. There are requests in to the product group to get this feature allowed in the Azure WEB UI.
you only require a user with Exchange Admin rights and a powershell script to enable/disable MFA
or at minimum privileged authentication admin
Xu, Andy commented
We do need User Admin role own the rights to enable/disable MFA for users.
Allow the User Admin role to Enable/Disable MFA for users.
Your link describes how to reset MFA passwords not disable or enable. Also on that page, if you had to delete MFA passwords to resolve an issue "Global administrator permissions are required to perform this action."
Dennis Aanen commented
This is available now, see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
A new role Authentication Administrators has been created.
Javier Ornelas commented
My goodness, this needs to be corrected. We have a person that is fairly new to IT and we would like her to setup accounts and MFA. As others have said, I don't want her to only go so far and then the global admins have to setup MFA. That does not make sense.
After 2 years, I'm not very hopeful that this is going to be changed.
My God, this needs to be resolved as soon as possible, it is very complicated to work like this.
Planned since 2017... still not implemented. How can I justify my helpdesk staff having global rights to administer MFA and inversely I do not want to be lumbered with setting this up for every new member of staff.
What I also don't understand is the 'Authentication Admin' roles info even says it can administer MFA... which it can't.
Please sort this out asap
Hi tried now but even if the user was user admin (also auth admn) it didn't work
Can they Enable/Disable?
Rakesh Vijayan commented
User administrator role can revoke/reset MFA now
Microsoft please solve this and make is easier so an Helpdesk Admin can Enable MFA for Users, We cannot give Globle admin rights for just enabling MFA
Sumeet Kumar commented
I think the Azure AD Authentication Administrator has the privilege to revoke MFA, require re-register MFA and reset user password. However, enabling/disabling MFA is still a job only a Global Administrator can do. Why can't the Authentication Administrator have this right?
Which "roadmap" is this on? Because we could have walked around the globe 3 times since this was slated to be 'on the roadmap'. Just sayin.
Akhtar Rahmetulla commented
This is crucial to a certain we limit the number of Global Admins.
Kelli Page commented
I need to be able to enable/enforce MFA without being a Global Admin.
Ray Ross commented
This 100% should be in the user admin role. Please follow up Microsoft.
it should be so easy to create a role for that Microsoft. its must be a security role not a global admin roles so security team can do the task with out asking to be global admin in the PIM. kind of ridicous when you think about that kind of security. you need to be god to unlock a user for MFA
Thomas Cannervall commented
Did something similar to Claudia Wilson
You can use Privilieged Authentication Administrator Role to reset mfa. You can ofcourse use this with PIM or whatever.
Yesterday I set-up a reset flow with Automation Accounts (Azure Automate) -> power automate -> power app to handle reset of MFA by support agents.
I created a service account with Priviliged Authentication Admin role, imported msol module in the automation account and created a pretty basic ps runbook
[Parameter (Mandatory= $true, HelpMessage = "Email of the user to reset MFA for")]
[parameter(Mandatory = $true, HelpMessage = "Email of the support agent")]
$ErrorActionPreference = 'Stop'
$creds = Get-AutomationPSCredential -Name '<redacted>'
Connect-MsolService -Credential $creds
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $UserEmail
Write-Output "MFA was reset for user $UserEmail. Support agent who triggered the reset was $AuthUser"
$ErrorMessage = $_.Exception.Message
Write-Output "Reset MFA for user $UserEmail Failed. the error is: $ErrorMessage"
Had to give the support agents Automation Job Operator permissions on the Automation Account / Resource group and ofcourse access to app flow.
Hope it helps someone
Claudia Wilson commented
Just so everyone knows, there is a different PIM role that works, Authentication admin. You do have to Powershell it however if you aren't global. I believe this makes the Require user reregister MFA work also in the azure portal. not sure though. I attached the script we use to do so if this helps anyone.
To note, this also adds the user to a group attached to our sign in risk policy. Hope this helps someone :)