Allow Privileged Authentication Administrator and Authentication Administrator to block/unblock MFA for users
Currently, only global administrator can block/unblock MFA for users. However, the global administrator has too much authority, so please allow other roles as well. I want Privileged Authentication Administrator and Authentication Administrator to be able to do these things.
The 'Authentication Policy Administrator' has too much permissions as well. Unblock MFA should be included in Authentication Administrator.
Paul Hugill commented
I think this is helped with a new role called 'Authentication Policy Administrator'.
I looking for the same thing and actually stumbled on it by accident when I saw the policy listed for 'Manage MFA Settings' here:
I tested that out and it works, however it does give the ability to change actual MFA settings like the Block on Fraud Report and other things related to it, so it may still be too high level a role for what you need.
It should solve our purpose though and is definitely better than Global Admin.
Laura Davis commented
this does not work at all.
We as tech support need this change to be made because not all of us can be global administrators. Thank you,
Eric Moore commented
Needs a Global Admin even to enable MFA :( - and then I get the auditors complaining about how many Global admins I have....