Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
It would be good for the Azure AD team to provide an official update on this. Some users are stating that "Authentication Administrator" works, others say it does not.
Just tried using the portal as "Authentication Administrator" and reset MFA for a users, it worked.
Albert Martinez commented
Didn't work for me. Only works with a "Global Admin" user.
Adding the role "Authentication Administrator" from AzureAD GUI or PowerShell doesn't work in a user with the "User Administrator" role.
The PS script worked, but it's just a workaround and don't know why this simple Role (which is active and can be applied) doesn't work.
1 - Assign "Authentication Administrator for those you need:
2 - Connect to Azure from powershell using the credential of your service desk:
- Install Azure modules for powershell: https://blogs.technet.microsoft.com/solutions_advisory_board/2017/04/27/connect-to-office-365-services-with-multifactor-authentication-mfa-and-powershell/
3 - From powershell
$user = Read-Host -Promt "UPN to reset the MFA"
$user_get = Get-MsolUser -UserPrincipalName $user
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user
Only place online related... Can ANYONE tell me why "+ New Policy" would be greyed out for a Global Admin, when trying to setup this exact policy?
its still not fixed , a PFE told to enable Auth Admin role that also does not work
still in roadmap ?
This is absolutely absurd. How can something like this be on the "Roadmap" for 2 years? It's a simple request- take one of your existing "User Admin" roles, and give it the ability to enable or disable MFA- not just "Clear" and "Revoke"; that is only half of the problem.
"Anonymous commented · February 4, 2019 7:03 PM · Flag as inappropriate
Use the steps detailed using Powershell.
Global Admin perms are not needed. But you have to be a User Management Admin."
I can confirm this works - non global administrator can enable/disable/enforce MFA for users via Powershell, though no option to through GUI and access denied via URL to MFA site.
Come on MS - can't be that hard to implement the change to allow a different admin group...
@J. Por - our Helpdesk team has the "User Administrator" role and the PowerShell method is working for them. At the moment, not everyone knows about the PowerShell workaround and to my knowledge, this workaround is not publicly published by Microsoft. Hopefully this tip helps all the other frustrated Azure admins in the world. I know we were jumping for joy when we accidently discovered this well kept secret 6 months ago.
Chetan Rao commented
When wud this new feature come in. Is there a timeline for it.
J. Por commented
@bthai If you can Enable/Disable MFA for a user via PowerShell without thats news to me, and it must not use the Authentication Admin Role or the User Admin Role, so which Role is it @bthai ?
For those who haven't figured it out by now-- you can Enable/Disable MFA for users by using PowerShell (NO Global Admin role needed, I repeat, NO Global Admin role needed)
Sean Stark commented
Alfredo Ramos commented
Managing MFA settings for users under AAD>Security>MFA should also fit the scope of an Authentication Administrator role. There needs to be another role(s) besides Global Admin access that allows this changes.
Tom Atkinson commented
The Authentication Administrator role seems to be very limited in scope. You can require that users re-validate, but you can't enable or disable MFA for a user. This solution does not meet our organization's expectations or needs. More simply stated, it does it address the title of Ben Virkler's feedback thread from October 5, 2015: "Allow the User Admin role to Enable/Disable MFA for users"
Ludovic Bernard commented
No, we tried it, the User Admin with the Authentication Role cannot activate MFA for standard user... A User Admin still needs to be Global Admin to do that ....non sense ...
So still no option to actually Enable Azure MFA for users with the Authentication Administrator role?
LaValley, Eric commented
Can confirm the Authentication Administrator role works but you need to follow the steps listed by G. Hendriksen.
"You have to reset MFA for a user via: AzureAD > Users > Select a specific User > Authentication methods.
Here are two options listed:
1. Require validation: Require that users must verify their currently registered authentication methods.
2. Revoke MFA; If a user has chosen to remember MFA on a familiar device, clear the stored information. The user must redo MFA the next time it's required."
Seems to work ok for me. I've assigned Authentication Administrator role via PIM and once user requests elevation the MFA options are visible via AAD.
Looks like this may finally be sorted! :)