Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
Rich Raynes commented
What we need here people is obviously more votes. Send this to your friends and co-workers. 1035 votes since 2015 isn't going to catch any attention.
Inigo Flores commented
Need this too ASAP, to assist remote workers during the Covid-19 lock down.
Alberto Bottacin - Ipertrade Srl commented
Hi Microsoft, please follow up for this!
Need this ability
Any update on this?
Ben Roberts commented
How is it possible that it's taken over 4 years to fix this issue?
Brad Cash commented
Please add this soon. I shouldn't have to ask a GA to enable/disable users all of the time. They have plenty of other important things to do.
Abed Farah commented
Microsoft... You forced the default policy on CSP partners and this needs to be fixed ASAP.
adding a comment so I can track the thread
Same challenge for us. This limitation even makes PIM a challenge bc support staff have to keep asking for GA rights just to enable MFA for users.
Michelle Watson commented
When will this be available to User Administrators? Based on best practices recommended by Microsoft we limit our Global Administrators. However, our IAM team needs to be able to enable MFA authentication. So, again, when will this be available?
Kris Debkowski commented
Assigned "Authentication Administrator" does not provide access to the MFA management console
I can confirm the same experience as David Wykes. Assigned "Authentication Administrator" does not provide access to the MFA management console.
Steve BerkHolz commented
"Authentication administrator" does not give access to enable MFA.
Microsoft... come on... fix this please.
This is why we cant have nice things.
David Wykes commented
That doesn't seem to work, i granted a member of our helpdesk that role yesterday and the MFA link isn't available on a user details page.
They can't get into the MFA management page either
Lennard Kuijten commented
The role "Authentication administrator" is already available for this since almost a year.
Does this role not now cover this, Privileged authentication administrator it allows you to view, set and reset authentication method information for any user (admin or non-admin). Also if you are using MFA with Conditional Access (CA) then just create an exclude group in the CA policy for MFA and when you need to stop the user from being prompted for MFA add the user to the exclude group, which can be actioned by anyone who had access to the group i.e. a normal helpdesk admin. I would also make sure you setup alerting on the group to make sure it not being abused.
Nathan Solomon commented
Having been on the roadmap for 2+ years -- its past time to update the scheduled release for this change. When can we expect this change Azure AD Team?