Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
We have released the Authentication administrator and Privileged authentication administrator roles that can manage the authentication methods of the user. If you are using Azure AD Premium, consider enforcing MFA on the user using Conditional Access. We are continuing to work on other roles that will let you manage other MFA settings.
Thomas Cannervall commented
Did something similar to Claudia Wilson
You can use Privilieged Authentication Administrator Role to reset mfa. You can ofcourse use this with PIM or whatever.
Yesterday I set-up a reset flow with Automation Accounts (Azure Automate) -> power automate -> power app to handle reset of MFA by support agents.
I created a service account with Priviliged Authentication Admin role, imported msol module in the automation account and created a pretty basic ps runbook
[Parameter (Mandatory= $true, HelpMessage = "Email of the user to reset MFA for")]
[parameter(Mandatory = $true, HelpMessage = "Email of the support agent")]
$ErrorActionPreference = 'Stop'
$creds = Get-AutomationPSCredential -Name '<redacted>'
Connect-MsolService -Credential $creds
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $UserEmail
Write-Output "MFA was reset for user $UserEmail. Support agent who triggered the reset was $AuthUser"
$ErrorMessage = $_.Exception.Message
Write-Output "Reset MFA for user $UserEmail Failed. the error is: $ErrorMessage"
Had to give the support agents Automation Job Operator permissions on the Automation Account / Resource group and ofcourse access to app flow.
Hope it helps someone
Claudia Wilson commented
Just so everyone knows, there is a different PIM role that works, Authentication admin. You do have to Powershell it however if you aren't global. I believe this makes the Require user reregister MFA work also in the azure portal. not sure though. I attached the script we use to do so if this helps anyone.
To note, this also adds the user to a group attached to our sign in risk policy. Hope this helps someone :)
Rich Raynes commented
What we need here people is obviously more votes. Send this to your friends and co-workers. 1035 votes since 2015 isn't going to catch any attention.
Inigo Flores commented
Need this too ASAP, to assist remote workers during the Covid-19 lock down.
Alberto Bottacin - Ipertrade Srl commented
Hi Microsoft, please follow up for this!
Need this ability
Any update on this?
Ben Roberts commented
How is it possible that it's taken over 4 years to fix this issue?
Brad Cash commented
Please add this soon. I shouldn't have to ask a GA to enable/disable users all of the time. They have plenty of other important things to do.
Abed Farah commented
Microsoft... You forced the default policy on CSP partners and this needs to be fixed ASAP.
adding a comment so I can track the thread
Same challenge for us. This limitation even makes PIM a challenge bc support staff have to keep asking for GA rights just to enable MFA for users.
Michelle Watson commented
When will this be available to User Administrators? Based on best practices recommended by Microsoft we limit our Global Administrators. However, our IAM team needs to be able to enable MFA authentication. So, again, when will this be available?
Kris Debkowski commented
Assigned "Authentication Administrator" does not provide access to the MFA management console
I can confirm the same experience as David Wykes. Assigned "Authentication Administrator" does not provide access to the MFA management console.
Steve BerkHolz commented
"Authentication administrator" does not give access to enable MFA.
Microsoft... come on... fix this please.
This is why we cant have nice things.
David Wykes commented
That doesn't seem to work, i granted a member of our helpdesk that role yesterday and the MFA link isn't available on a user details page.
They can't get into the MFA management page either
Lennard Kuijten commented
The role "Authentication administrator" is already available for this since almost a year.