295 votes35 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
The MFA team is currently working on adding get/set/read/delete abilities for StrongAuthentication data to the Graph API.
105 votes17 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
StrongAuthentication data can be read via PowerShell, but StrongAuthenticationUserDetails can’t be set via PowerShell. It is planned to expose the StrongAuthentication data via Graph, but no ETA to provide yet.
Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.
MSOnline's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.
Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.
The new AzureAD and AzureaDPreview module do not expose any StrongAuthentication data.
The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.
Please fix this, or provide an update as to when it will be fixed.
254 votes30 comments · Azure Active Directory » Role-based Access Control · Flag idea as inappropriate… · Admin →
We have released a public preview of custom roles with support for a handful of permissions related to managing application registrations. We’re now working on support for enterprise application management permissions, and will continue to release more permissions iteratively over time.
We very much appreciate all of your feedback here. We’re not done yet, so please keep letting us know what you think and where we can improve.
Azure Active Directory team
Currently only global admins can manage MFA, i.e. only global admins can enable or disable MFA on an account. Delegation of MFA Administration to a Help Desk role would be a boon for our support teams.
837 votes175 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
Delegation of Azure MFA administration is *desperately* needed. Personal experience: I've got 300+ users enrolled now, and *all* of the Help Desk ticket requests for MFA issues are bypassing Tier 1 and Tier 2 support, and landing right in our Global Admin's laps. This is terribly inefficient use of resources and frequently results in sub-optimal customer service experiences.
57 votes9 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.
Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.
58 votes7 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
We’ll take this in consideration as we plan new features. In the short term, we are working on Graph API‘s that will allow you to change phone numbers in the StrongAuthentication fields.