RBAC roles for Viewing/Modifying Authentication Info (MFA)
Currently, only Global Admins can view and modify the information in a user's account in the Authentication Info fields. This is problematic as we have people performing B2C support that are User Administrators and can't see or update the user's info in these fields to help troubleshoot access issues/MFA issues.
For users assigned the User Administrator role, allow them to view and modify the Authentication Info fields. They currently see grey fields that are empty.
This is currently possible. Could you please elaborate more on what you’re looking to achieve?
If you mark a user as an User Administrator, you can control all fields for the users in the directory.
R Artes commented
Try assigning the role "Privileged authentication administrator" to the helpdesk person. That worked for me. Must be a new role in Azure.
Come on MS! This MFA option to allow helpdesk operatives to enable/disable MFA has been requested for the past three years or more! Surely, it can't be that difficult to resolve. Please provide us frustruated admins with a resolution. This role should be available to add to a Customized Administrator. Soon as, please!!
Roy D commented
This seems to work, sort of.
The user can login to the portal.azure.com and search for any user. Then when they click on Authentication Methods they can "Require re-register MFA" and it will reset the config for that user. The problem is it doesn't give you the ability to ENABLE a user for mfa in the first place. So you can be requiring a re-register but there is no way for that user to know it if the user they are re-registering is even enabled.
Tom Paget commented
We are having issues right now with respect to adding our Desktop Team with permission to enable and disable Azure MFA for users. Please help!
John Schroeder @CofC commented
We have granted our helpdesk people 'Authentication Administrator' permanent role in PIM, but they are unable to view the authentication contact information in aad.portal.azure.com for any user.
Steve Zhu commented
I have been granted with "Authentication Administrator" role by Global Admin, but still not working.
Just test with Global Admin together.
Seems Global Admin is a mandatory requirement for MFA at this moment.
Hope @Azure AD Team can fix this ASAP.
Alberto Gutiérrez commented
Completely agree with everyone below. This has been under review for how long? Any reasoning for not granulating a security role to perform this day to day task? I have 20,000 users, and only one Global Administrator....
Hayden Greaves commented
Has anyone confirmed whether the 'Authentication Administrator' role works for this purpose, as described here?
Completely agree with everyone below. This has been under review for how long? Any reasoning for not granulating a security role to perform this day to day task? I have 50,000 users.....
its been over 6 months since this request. Can we get an update? Currently us global admins have to take on what is a help desk day to day task.
mike baugh commented
also need to be able to unblock/block a user
Add option to Customized administrator choices so we do not give full access to our support person who adds and supports users.
Hey Azure AD Team - any update on this?
This really needs to be fixed and more granular.
brad hicks commented
This is also a problem for us and I agree with the comments below that this doesn't appear to be possible currently unless you are a Global Admin.
I would love for their to be an option to delegate this control to a User Admin or some other role that isn't a full Global Admin.
Martin Rudinec commented
"This is currently possible." - not true. User Administrator can't edit anything in the "Authentication contact info" bracket.
@Azure AD Team - not quite correct, it's not possible to edit the "Authentication contact info" section if the admin user is a member of the User Administrator role.
Same experience here. Azure support informed me the User Account Administrator role does not allow editing those properties. For the record, we are syncing from on-premise AD which would understandably block us from editing some fields, I would think that the Authentication Contact Info fields shouldn't be included in that.
Please provide documentation and an example screenshot where this is actually working for a User Administrator as that is not our experience (same experience as the person that commented on July 01 2018 @ 18:52).
Since when has this been possible?
Users marked as an 'User Administrator' are unble to view more so edit MFA settings.
See example by Anonymous January 07, 2018 23:05 (below)