Allow User Management role to enable Azure MFA for new users. Currently, only Global Admin can enable MFA
Allow Office 365 New role, or change to existing User Management role to enable Azure MFA for new users. Currently, only Global Admin can enable MFA for a user. Support members can license the user including MFA license, but cannot "enable, enforce, or reset MFA settings for a user in O365 Admin portal.
Frank Mandrell commented
Needs to be a role you can assign to those that set up accounts, not just global admins.
How has this not been implemented
Absolutely agree .We want to meke our outsourcing vendor meintenance O365 Accout , But due to this restriction, it can not be released in the term of security.
It's ridiculous that MFA can only be activated by the global tenant admin... This should be a role that can be added to a Security Administrator... This really slows down my outroll of MFA in my company...
On another question there is an update, from April 2018...
We aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA.
Agreed, with cyber-security as one of the most important topics in IT . Adding MFA reset ability to the user administrator role (or create a new role) is needed. The options we have is adding my whole help-desk to global admins or write a powershell with stored credentials. Not the best options.
This would allow us to keep our Global Administrators to the fewest number of people as possible. This feature is preventing us from being able to provide highly controlled access to SPO sites since any GA could add himself or herself as an admin to any SharePoint site.
Agreed, as this approach is more practical to the helpdesk team members to perform.