Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
We have released the Authentication administrator and Privileged authentication administrator roles that can manage the authentication methods of the user. If you are using Azure AD Premium, consider enforcing MFA on the user using Conditional Access. We are continuing to work on other roles that will let you manage other MFA settings.
I believe you can enforce MFA using Conditional Access policies and assigning them to your AD groups. This way your User admins can just add people to the groups to apply MFA to their accounts without the need for global admin role.
Enabling MFA directly (which needs global admin role) on a user account overrides any Conditional Access policies.
In our company, HR Team manages users and their access. They are not tech savvy to write powershell scripts. Unless we enable global admin permissions for these guys, they are unable to enable MFA. We gave Authentication administrator role but it is not working. Could you please let us know if there is any other role available to give them permissions to enable MFA for non-admin users?
Ed McKinzie commented
We opened a case on this and we received the following instructions that allow non-Global Admin accounts to disable\enable MFA using PowerShell as long as they are members of the Authentication and Privilege Authention RBAC roles.
From the MS Engineer:
"I could not find the required permissions documented and, apparently, Graph API does not support MFA configuration. However, while doing some tests, I came to the conclusion that the Authentication Admin and the Privilege Authentication Admin can enable/disable MFA via PowerShell. Please check the available documentation to enable/disable MFA using PowerShell and the MSOnline module:
#Enable MFA for specific user
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements $sta
#Disable MFA for specific user
Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements @()
Hope this helps others that had similar issues. There are requests in to the product group to get this feature allowed in the Azure WEB UI.
you only require a user with Exchange Admin rights and a powershell script to enable/disable MFA
or at minimum privileged authentication admin
Xu, Andy commented
We do need User Admin role own the rights to enable/disable MFA for users.
Allow the User Admin role to Enable/Disable MFA for users.
Your link describes how to reset MFA passwords not disable or enable. Also on that page, if you had to delete MFA passwords to resolve an issue "Global administrator permissions are required to perform this action."
Dennis Aanen commented
This is available now, see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
A new role Authentication Administrators has been created.
Javier Ornelas commented
My goodness, this needs to be corrected. We have a person that is fairly new to IT and we would like her to setup accounts and MFA. As others have said, I don't want her to only go so far and then the global admins have to setup MFA. That does not make sense.
After 2 years, I'm not very hopeful that this is going to be changed.
My God, this needs to be resolved as soon as possible, it is very complicated to work like this.
Planned since 2017... still not implemented. How can I justify my helpdesk staff having global rights to administer MFA and inversely I do not want to be lumbered with setting this up for every new member of staff.
What I also don't understand is the 'Authentication Admin' roles info even says it can administer MFA... which it can't.
Please sort this out asap
Hi tried now but even if the user was user admin (also auth admn) it didn't work
Can they Enable/Disable?
Rakesh Vijayan commented
User administrator role can revoke/reset MFA now
Microsoft please solve this and make is easier so an Helpdesk Admin can Enable MFA for Users, We cannot give Globle admin rights for just enabling MFA
Sumeet Kumar commented
I think the Azure AD Authentication Administrator has the privilege to revoke MFA, require re-register MFA and reset user password. However, enabling/disabling MFA is still a job only a Global Administrator can do. Why can't the Authentication Administrator have this right?
Which "roadmap" is this on? Because we could have walked around the globe 3 times since this was slated to be 'on the roadmap'. Just sayin.
Akhtar Rahmetulla commented
This is crucial to a certain we limit the number of Global Admins.
Kelli Page commented
I need to be able to enable/enforce MFA without being a Global Admin.
Ray Ross commented
This 100% should be in the user admin role. Please follow up Microsoft.
it should be so easy to create a role for that Microsoft. its must be a security role not a global admin roles so security team can do the task with out asking to be global admin in the PIM. kind of ridicous when you think about that kind of security. you need to be god to unlock a user for MFA