1,286 votes247 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
An error occurred while saving the commentEd McKinzie commented
We opened a case on this and we received the following instructions that allow non-Global Admin accounts to disable\enable MFA using PowerShell as long as they are members of the Authentication and Privilege Authention RBAC roles.
From the MS Engineer:
"I could not find the required permissions documented and, apparently, Graph API does not support MFA configuration. However, while doing some tests, I came to the conclusion that the Authentication Admin and the Privilege Authentication Admin can enable/disable MFA via PowerShell. Please check the available documentation to enable/disable MFA using PowerShell and the MSOnline module:
#Enable MFA for specific user
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements $sta
#Disable MFA for specific user
Set-MsolUser -UserPrincipalName BrianJ@M365x088345.OnMicrosoft.com -StrongAuthenticationRequirements @()
Hope this helps others that had similar issues. There are requests in to the product group to get this feature allowed in the Azure WEB UI.