Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
Nathan Solomon commented
We are trying to follow well known guidelines to limit the use of global admins for obvious reasons. This feature forcing us to use GA to enroll users into MFA is preventing us from narrowing our list of GA use. Please fix! Product features need to be aligned with generally accepted Infosec guidelines.
I think it stupid to grant Global Admin roles to my helpdesk team just to be able to manage MFA. This should get resolved soon by MSFT. This is killing us.
Hi Microsoft, please follow up for this!
We are struggling for assign role, cannot be assigned all helpdesk to get global admin.
Please advice when can it be done.
Any update??? on the roadmap since 2017.... now is 2020 and we need global admin Role for enable MFA. Helpdesk can not enable the MFA.
After open a Microsoft premier support, he said... is on the roadmap.
Please fix this ASAP.
Iwan Hasan commented
I would also like to see a role that allows helpdesk to enable/disable MFA. Authentication Admin role does not give access to the MFA page to do this.
What is the expected ETA of this change? Any updated or specifics as to which role this is if it was implemented?
Our user admins cannot be assigned a global admin role in O365. They therefore cannot see any users who are MFA blocked under: Azure Active Directory > Security > MFA > Block/unblock users
My request to Microsoft is: PLEASE make MFA User Block/Unblocking more manageable
Per support: As of now, Dec 16 2019, currently, only a Global Admin has rights to view this and it's stored on the MFA backend which does not connect to PowerShell in any way. This is a known issue for our Product Group as well, and there are some changes and/or additional administrative roles coming in the future to allow non-Global Administrators to handle such requests.
---> We were unable to get any ETA or further information on this timeline however. Which is not ideal as it gets us no closer to being able to manage these more easily and at scale.
What other part of Azure AD can my admins at minimum VIEW users MFA Block\unblock status - without giving them other permissions to edit/change configurations, etc.? Is there not a role that even allows viewing this report, other than the Global Admin, which MS advises we (rightfully) guard and limit use of?
I would also like to see a role or role permissions to allow helpdesk to unblock MFA.
Cary Majors commented
Is there a timeline or Road Map item for this change? It seems it has been out there for over 2 years, but no action has been taken.
Irene Merkens commented
We need to have the possibility to delegate One-time bypass to admins without needing the Global Admin role.
Please raise the priority on this request, it is long over due, need a role for help desk staff to manage MFA. Assigning Global Admin for the administration of MFA is just plain crazy, us Global Admins have better things to do than to be bothered all the time customers call in to have there MFA reset. Get with the program MS.
There needs to be a role for security focused help desk personnel to perform this without giving the keys to the kingdom.
M Simone commented
Agreed. We want to avoid having to elevate as Global Admin as often as possible, especially since this type of activity will most likely be given to a help desk.
This method does not allow for the One-time bypass option.
Magnus Akerman commented
When can we expect this to fixed for non global admins?
Fix this for non admin users for IT support.
This is already done - i have given service desk rights to change MFA rights for users
Zuiderduin, Mike commented
With "Authentication Administrator" i can change the MFA number. I cannot see the old number. But for the Servicedesk that is not required.
Just as a heads up. Requiring Global Admin so Help Desk users can unblock (not just enable/disable) MFA for non privileged users causes a situation where Azure Active Directory does NOT meet the HITRUST Least Privileged requirements...so this can cause your organization to fail a HITRUST audit.
This MUST be fixed.