Allow the User Admin role to Enable/Disable MFA for users
Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
Cheryl Ross commented
Is there a roadmap id for this User Admin Role work item?
Christopher Goff commented
How is this not a thing yet? Global admin should NOT be required for my helpdesk admins to unblock MFA.
without prejudice commented
Assigning a Helpdesk staff member "Authenication administrator" and "User Administrator" rights in Azure Active Directory admin center does not allow the Helpdesk staff member to Enable or Disable MFA.
It does appear to allow the Helpdesk staff member to "Require re-register MFA" and "Revoke MFA Sessions" and change "Authentication Contact Info" in Azure which is helpful once the user is setup.
This still means however that a Global Admin has to get involved in the creation of every new user to enable MFA or the Global Admin role needs to be given to Helpdesk which is extremely undesirable.
Please could you raise the priority on this request?
@magnus But I still cant ENABLE MFA for a User...
As some other users have pointet out, this feature is live, go to Azure AD and assign your MFA admin the "Authentication Administrator" role.
The last update was on Nov 30, 2017. Is it still in roadmap?
Wow. I can't believe this has been complained about for over two years and all Microsoft can say is 'It's on the Roadmap'. Way to provide for your customer's needs!
Can we get someone looking at this issue at least? over 60000 users and three Global Admins. I have better things to do than do the job of my Helpdesk staff.
Please provide delegate access for MFA
Workaround - Grant to the Helpdesk Authentication Administrator permissions via the Azure AD. Then try to restore MFA via the Azure portal and not O365. https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers
It is working fine.
Please provide delegate access for MFA
We need a solution for service desk to disable mfa without losing registered methods of authentication. so they can work on the users account or laptop. Then the ability to turn it back on. all this without being a Enterprise Admin. I cant even get the bypass to work. I have made the service desk people Privileged authentication administrator.
currently with MFA+SSPR combined; when an admin goes to look up a user > Authentication methods in Azure AD. They can see and set only the users phone.
It should atleast show:
- if the user if enrolled in MFA cloud
- if so, what is their default method
- allow the admin to change the default method for the user or set the user's default method to get the user started. for example, allow the admin to set a brand new user to have default mfa method of phone call, and then the user can go change settings themselves afterwards in the mfa+sspr portal.
-allow admin to set one-time bypass for user on mfa
these admin options are available in MFA server, makes sense to have it in MFA cloud.
This role also needs the ability to enable/disable MFA for users, through the MFA page
Eric Periard commented
I use PowerShell to enable and enforce MFA with Auth Admin access, works fine.
I have attached a sample scripts.
You need to install the following modules: AzureAD and MSOnline.
Mohamed Sbaa commented
1. Add the user to the role "Authentication Administrator".
2. Go to https://aad.portal.azure.com
3. Go to Users & select the concerned user.
4. In the left pane you will find "Authentication methods". Select that and you will be able to have the option to reset MFA or change the contact details.
It would be good for the Azure AD team to provide an official update on this. Some users are stating that "Authentication Administrator" works, others say it does not.
Just tried using the portal as "Authentication Administrator" and reset MFA for a users, it worked.
Albert Martinez commented
Didn't work for me. Only works with a "Global Admin" user.
Adding the role "Authentication Administrator" from AzureAD GUI or PowerShell doesn't work in a user with the "User Administrator" role.
The PS script worked, but it's just a workaround and don't know why this simple Role (which is active and can be applied) doesn't work.
1 - Assign "Authentication Administrator for those you need:
2 - Connect to Azure from powershell using the credential of your service desk:
- Install Azure modules for powershell: https://blogs.technet.microsoft.com/solutions_advisory_board/2017/04/27/connect-to-office-365-services-with-multifactor-authentication-mfa-and-powershell/
3 - From powershell
$user = Read-Host -Promt "UPN to reset the MFA"
$user_get = Get-MsolUser -UserPrincipalName $user
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user
Only place online related... Can ANYONE tell me why "+ New Policy" would be greyed out for a Global Admin, when trying to setup this exact policy?