paul

My feedback

  1. 1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    paul shared this idea  · 
  2. 4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Thanks for your feedback and its now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

    paul supported this idea  · 
  3. 807 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    We’re really pleased to let you know that we’ve released the first authentication method APIs to public preview:

    https://docs.microsoft.com/graph/api/resources/authenticationmethods-overview

    So far there are APIs for managing phone numbers and password resets. When phone numbers are set with the API, the user can use that number for MFA and SSPR (as allowed by your tenant’s policy).

    The team is hard at work at building out APIs for all of the other authentication methods, and we’ll update the response here as they’re released.

    paul shared this idea  · 
    An error occurred while saving the comment
    paul commented  · 

    Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.

    MSOnline's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.

    Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.

    The new AzureAD and AzureaDPreview module do not expose any StrongAuthentication data.

    The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.

    Please fix this, or provide an update as to when it will be fixed.

  4. 312 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Hi folks,
    Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

    You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

    Regards,
    Vince Smith
    Azure Active Directory Team

    An error occurred while saving the comment
    paul commented  · 

    Currently only global admins can manage MFA, i.e. only global admins can enable or disable MFA on an account. Delegation of MFA Administration to a Help Desk role would be a boon for our support teams.

    paul supported this idea  · 
  5. 1,245 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    An error occurred while saving the comment
    paul commented  · 

    Delegation of Azure MFA administration is *desperately* needed. Personal experience: I've got 300+ users enrolled now, and *all* of the Help Desk ticket requests for MFA issues are bypassing Tier 1 and Tier 2 support, and landing right in our Global Admin's laps. This is terribly inefficient use of resources and frequently results in sub-optimal customer service experiences.

    paul supported this idea  · 
  6. 77 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.

    Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.

    Richard

    paul shared this idea  · 
  7. 67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  Azure AD Team responded

    We’ll take this in consideration as we plan new features. In the short term, we are working on Graph API‘s that will allow you to change phone numbers in the StrongAuthentication fields.

    Richard

    paul supported this idea  · 

Feedback and Knowledge Base