MFA unblock needs to be available to a role that is not a global admin user
Our user admins cannot be assigned a global admin role in O365. They therefore cannot see any users who are MFA blocked under: Azure Active Directory > Security > MFA > Block/unblock users
My request to Microsoft is: PLEASE make MFA User Block/Unblocking more manageable
Per support: As of now, Dec 16 2019, currently, only a Global Admin has rights to view this and it's stored on the MFA backend which does not connect to PowerShell in any way. This is a known issue for our Product Group as well, and there are some changes and/or additional administrative roles coming in the future to allow non-Global Administrators to handle such requests.
---> We were unable to get any ETA or further information on this timeline however. Which is not ideal as it gets us no closer to being able to manage these more easily and at scale.
What other part of Azure AD can my admins at minimum VIEW users MFA Block\unblock status - without giving them other permissions to edit/change configurations, etc.? Is there not a role that even allows viewing this report, other than the Global Admin, which MS advises we (rightfully) guard and limit use of?
it should be so easy to create a role for that Microsoft. its must be a security role not a global admin roles so security team can do the task with out asking to be global admin in the PIM. kind of ridicous when you think about that kind of security. you need to be god to unlock a user for MFA