How can we improve Azure Active Directory?

← Azure Active Directory

Allow the User Admin role to Enable/Disable MFA for users

Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.

1,440 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Ben Virkler shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
planned  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

We have released the Authentication administrator and Privileged authentication administrator roles that can manage the authentication methods of the user. If you are using Azure AD Premium, consider enforcing MFA on the user using Conditional Access. We are continuing to work on other roles that will let you manage other MFA settings.

Show previous admin responses (1)

284 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Thomas Cannervall commented  ·   ·  Flag as inappropriate

    Did something similar to Claudia Wilson
    You can use Privilieged Authentication Administrator Role to reset mfa. You can ofcourse use this with PIM or whatever.

    Yesterday I set-up a reset flow with Automation Accounts (Azure Automate) -> power automate -> power app to handle reset of MFA by support agents.

    I created a service account with Priviliged Authentication Admin role, imported msol module in the automation account and created a pretty basic ps runbook

    Param (
    [Parameter (Mandatory= $true, HelpMessage = "Email of the user to reset MFA for")]
    [String]$UserEmail,
    [parameter(Mandatory = $true, HelpMessage = "Email of the support agent")]
    [string]$AuthUser
    )
    $ErrorActionPreference = 'Stop'
    Try {
    $creds = Get-AutomationPSCredential -Name '<redacted>'
    Connect-MsolService -Credential $creds
    Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $UserEmail
    Write-Output "MFA was reset for user $UserEmail. Support agent who triggered the reset was $AuthUser"
    }
    Catch {
    $ErrorMessage = $_.Exception.Message
    Write-Output "Reset MFA for user $UserEmail Failed. the error is: $ErrorMessage"
    }

    Had to give the support agents Automation Job Operator permissions on the Automation Account / Resource group and ofcourse access to app flow.

    Hope it helps someone

  • Claudia Wilson commented  ·   ·  Flag as inappropriate

    Just so everyone knows, there is a different PIM role that works, Authentication admin. You do have to Powershell it however if you aren't global. I believe this makes the Require user reregister MFA work also in the azure portal. not sure though. I attached the script we use to do so if this helps anyone.

    To note, this also adds the user to a group attached to our sign in risk policy. Hope this helps someone :)

  • Rich Raynes commented  ·   ·  Flag as inappropriate

    What we need here people is obviously more votes. Send this to your friends and co-workers. 1035 votes since 2015 isn't going to catch any attention.

  • Brad Cash commented  ·   ·  Flag as inappropriate

    Please add this soon. I shouldn't have to ask a GA to enable/disable users all of the time. They have plenty of other important things to do.

  • Abed Farah commented  ·   ·  Flag as inappropriate

    Microsoft... You forced the default policy on CSP partners and this needs to be fixed ASAP.
    Thank you!

  • Stephen commented  ·   ·  Flag as inappropriate

    Same challenge for us. This limitation even makes PIM a challenge bc support staff have to keep asking for GA rights just to enable MFA for users.

  • Michelle Watson commented  ·   ·  Flag as inappropriate

    When will this be available to User Administrators? Based on best practices recommended by Microsoft we limit our Global Administrators. However, our IAM team needs to be able to enable MFA authentication. So, again, when will this be available?

  • Jon commented  ·   ·  Flag as inappropriate

    I can confirm the same experience as David Wykes. Assigned "Authentication Administrator" does not provide access to the MFA management console.

1 2 4 6 14 15

Azure Active Directory: Multi-factor Authentication

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice