Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
Ben Virkler
shared this idea
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
242 comments
-
Cheryl Ross
commented
Is there a roadmap id for this User Admin Role work item?
-
Christopher Goff
commented
How is this not a thing yet? Global admin should NOT be required for my helpdesk admins to unblock MFA.
-
without prejudice
commented
Assigning a Helpdesk staff member "Authenication administrator" and "User Administrator" rights in Azure Active Directory admin center does not allow the Helpdesk staff member to Enable or Disable MFA.
It does appear to allow the Helpdesk staff member to "Require re-register MFA" and "Revoke MFA Sessions" and change "Authentication Contact Info" in Azure which is helpful once the user is setup.
This still means however that a Global Admin has to get involved in the creation of every new user to enable MFA or the Global Admin role needs to be given to Helpdesk which is extremely undesirable.
Please could you raise the priority on this request?
-
Rob
commented
@magnus But I still cant ENABLE MFA for a User...
-
Magnus
commented
As some other users have pointet out, this feature is live, go to Azure AD and assign your MFA admin the "Authentication Administrator" role.
-
Raja
commented
The last update was on Nov 30, 2017. Is it still in roadmap?
-
Anonymous
commented
Wow. I can't believe this has been complained about for over two years and all Microsoft can say is 'It's on the Roadmap'. Way to provide for your customer's needs!
Can we get someone looking at this issue at least? over 60000 users and three Global Admins. I have better things to do than do the job of my Helpdesk staff.
-
Raja
commented
Please provide delegate access for MFA
-
Jake
commented
Workaround - Grant to the Helpdesk Authentication Administrator permissions via the Azure AD. Then try to restore MFA via the Azure portal and not O365. https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers
It is working fine. -
Shanmuganathan
commented
Please provide delegate access for MFA
-
Anonymous
commented
We need a solution for service desk to disable mfa without losing registered methods of authentication. so they can work on the users account or laptop. Then the ability to turn it back on. all this without being a Enterprise Admin. I cant even get the bypass to work. I have made the service desk people Privileged authentication administrator.
-
William
commented
currently with MFA+SSPR combined; when an admin goes to look up a user > Authentication methods in Azure AD. They can see and set only the users phone.
It should atleast show:
- if the user if enrolled in MFA cloud
- if so, what is their default method
- allow the admin to change the default method for the user or set the user's default method to get the user started. for example, allow the admin to set a brand new user to have default mfa method of phone call, and then the user can go change settings themselves afterwards in the mfa+sspr portal.
-allow admin to set one-time bypass for user on mfathese admin options are available in MFA server, makes sense to have it in MFA cloud.
-
Anonymous
commented
This role also needs the ability to enable/disable MFA for users, through the MFA page
-
Eric Periard
commented
I use PowerShell to enable and enforce MFA with Auth Admin access, works fine.
I have attached a sample scripts.
You need to install the following modules: AzureAD and MSOnline.
G'day!
-
Mohamed Sbaa
commented
1. Add the user to the role "Authentication Administrator".
2. Go to https://aad.portal.azure.com
3. Go to Users & select the concerned user.
4. In the left pane you will find "Authentication methods". Select that and you will be able to have the option to reset MFA or change the contact details. -
MikeN
commented
It would be good for the Azure AD team to provide an official update on this. Some users are stating that "Authentication Administrator" works, others say it does not.
-
Michael
commented
Just tried using the portal as "Authentication Administrator" and reset MFA for a users, it worked.
-
Albert Martinez
commented
Didn't work for me. Only works with a "Global Admin" user.
Adding the role "Authentication Administrator" from AzureAD GUI or PowerShell doesn't work in a user with the "User Administrator" role.
The PS script worked, but it's just a workaround and don't know why this simple Role (which is active and can be applied) doesn't work.
Working script: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#use-powershell
-
Nahuel
commented
From Powershell:
1 - Assign "Authentication Administrator for those you need:-Assign Role ==> https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-manage-roles-portal
2 - Connect to Azure from powershell using the credential of your service desk:
- Install Azure modules for powershell: https://blogs.technet.microsoft.com/solutions_advisory_board/2017/04/27/connect-to-office-365-services-with-multifactor-authentication-mfa-and-powershell/
3 - From powershell
Connect-AzureAD
Connect-MsolService
$user = Read-Host -Promt "UPN to reset the MFA"
$user_get = Get-MsolUser -UserPrincipalName $user
$user_get.StrongAuthenticationMethods
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user -
Michael
commented
Only place online related... Can ANYONE tell me why "+ New Policy" would be greyed out for a Global Admin, when trying to setup this exact policy?
