Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
We have released the Authentication administrator and Privileged authentication administrator roles that can manage the authentication methods of the user. If you are using Azure AD Premium, consider enforcing MFA on the user using Conditional Access. We are continuing to work on other roles that will let you manage other MFA settings.
and adding users to those 2 groups does NOT allow them to view mfa status
please add this basic functionality yesterday.
I have these roles and still can't Enable/Disable MFA for a user
Allan Warner commented
I have just had a admin get around this issue by using powershell. I am guessing its a bug in the UI, that just disables access to the MFA page/s.
His roles were...
Service support administrator
Skype for Business administrator
Teams Communications Administrator
Teams Communications Support Engineer
Teams Communications Support Specialist
Teams Service Administrator
Not sure why this works, but the portal doesn't... Is it just a portal bug?
This is the script they used.
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
# Change the following UserPrincipalName to the user you wish to change state
Set-MsolUser -UserPrincipalName firstname.lastname@example.org -StrongAuthenticationRequirements $sta
Taken from the MS page
Hashokmi Pheirim commented
Global Admin cannot be given just for administrating MFA. This also goes against the security compliance controls for some organization where Global admin access is limited only to limited set of users and not to the entire IT helpdesk team.
After 3 years they copy/paste the same update? How about addressing the request from nearly 5 years ago? Just had a user dead in the water for hours because my team has every single role BUT Global Admin, and therefore could not disable MFA. Ridiculous.
Yves Gut commented
Hello everybody. After assigning the Role "Privileged authentication administrator" to our Helpdesk employees, they were able to require the Re-registering or revoking MFA sessions.
But we really need a way for the helpdesk to -enable or disable- MFA on AAD Users.
We hope that this can be implemented quickly.
+1 for allowing User Administrators the ability to unblock those who have reported fraud alerts and so been blocked. Only granting this ability to Global Administrators doesn't really fit a model where user administration is undertaken by a service desk.
johnny nazzal commented
Troy Ridgley commented
The Authentication administrator and Privileged authentication administrator roles have NOTHING to do with this issue. Not sure why Microsoft is posting this as something planned. We have services desk folks in these roles and they do not have the permissions to unblock users.
Pete Lill commented
Authentication admin and Priv auth admin don't have ability to issue OATH tokens - which we are using for situations an employee is not legally allowed to enter a gov facility with mobile device. So I have 100+ service desk people added as Global Admins, hopefully none of them decide to delete my entire tenant or something.
A limited role that allows 1st level & field support teams the ability to reset MFA (nothing more) would be extremely helpful.
Many times, field support teams need to have an MFA reset (require selected users to provide contact methods again & restore multi-factor authentication on all remembered devices) on the spot to assist end users at that point in time. These field support teams are forced to submit a ticket to 1st level support who in turn sends it to the O365 Admins to take action. 1st level support needs MFA reset to assist end user...they send ticket to O365 Admins to reset MFA and then the ticket is sent back to 1st level to contact the client to complete the request. Could be much more efficient allowing MFA resets at those 2 levels...no other bells and whistles.
It does not make sense to grant Global admin role to service desk to unblocking a user (under Azure AD -> Security -> MFA -> Unblock user).
Apart from it, There is no API to expose this functionality so we have to use UI and it requires the most powerful role in office 365. It does not make sense at all.
Johnny Levring commented
Come on Microsoft! Are you serious? I need to grant my entire IT Support team (25+ members) Global Admin role, just to go to the Block/unblock MFA users - come on!
But can these new roles block/unblock users' MFA? Thanks.
We need this asap!
Shrikant Sharma commented
For managing MFA related issues, such as reviewing the logs to understand any MFA related issues, Unblocking user from MFA, etc should be made available via a separate Role vs needing a Global Admin
Bill Gates told me to tell you that this should have been fixed in 2017. He's pretty upset. You might want to get the ball rolling.
I have had an admin that has stolen money. So how do I get out of that admins possession. I am denied an email and I am not allowed a private conversation or to drive my own $40,000.00 car. I do not think this is an off the wall question. I need help in getting out of Azure but I have asked over and over with no follow through from you. Can you please help me get out of Azure. This has been a very unhealthy situation for me. I need help
Wayne Day commented
So this feature has been on the roadmap for over 2 years? This is a no brainer! We need a user admin role to Enable/Enforce/Disable MFA without being a global admin.