Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
Douglas Plumley commented
I was surprised to find this wasn't already a role, sorely needed so backend IT isn't fulfilling a helpdesk IT role with MFA management, resets, etc.
Agree, we expect our service desk to perform these activities - who are not global admins :)
Delegation of Azure MFA administration is *desperately* needed. Personal experience: I've got 300+ users enrolled now, and *all* of the Help Desk ticket requests for MFA issues are bypassing Tier 1 and Tier 2 support, and landing right in our Global Admin's laps. This is terribly inefficient use of resources and frequently results in sub-optimal customer service experiences.
Richard King commented
I absolutely agree with this. Currently there are two methods to allow the helpdesk team to enable/disable MFA:
1. Give the Global Admin Role
2. Give tenancy co-admin rights in the classic portal
Unfortunately both of these give excessive rights. If user MFA management could be implemented in the new portal AAD management then perhaps we could delegate access with the custom RBAC roles.
Edwin Friesen commented
Currently I am involved at a customer project for implementing AzureAD and Intune. For security reasons and a smooth addition of using Passport for Work multi-factor authentication is a required component.
As part of the company process it is important that first-line support gets delegation of control for user account on-/offboarding. Within Azure Active Directory it is possible to assign administrative roles.
However, when it comes to enable or disable multi-factor authentication only the Global administrator role is available. The result is that user management has to be extended to second-line support.
It would be a great added value to add MFA management to the User administrator role as well.