Delegate permissions for managing MFA
To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.
Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.
We have heard the feedback and we’ve added it to our upcoming investments. While we do not have a date for this yet, we hope to be able to provide one soon. Thank you for the continued feedback.
Joey Dagami commented
Please let user with role of helpdesk administrator be able to manage MFA. Microsoft can set it up that any mfa change by helpdesk administrator will trigger an email to be sent to global administrator for review.
Mark Hall commented
We would like to kindly ask to have this feature implemented by Microsoft on Microsoft Azure AD, as this would surely help us during our day-to-day work and in turn, allow us to provide a much more efficient and valuable Service to the End-User.
We have a userbase of 2K users and delegated access is extremely important to us, as Service Desk cannot be granted Admin access.
Scott Ingram commented
We have 20,000+ users using authenticator. We need this rights delegable.
Any update on this request yet? Really need to give HD access to MultiFactor without giving Global Admin Rights.
Its been 3 years now for this request , Hope it will be implemented soon, ( My suggestion is to change the sentence at least on info of Authentication Admin so that the global admins can get a clear picture regarding this whenever they assign a role to someone )
Is this still not a possibility?? This is a really really bit miss right now.
Please enable asap. Thanks.
Mina Gerguis commented
It had been on for over 3 years since requested, and nearly a year in plans, hopefully this will be done soon, as MFA is essential & having it only via Global Admin is not acceptable.
This really does need resolving please - Global Admin just isn’t appropriate for day to day admin tasks. Thanks
its over an year and this feature is still not integrated!.. so sad
This needs to be adjusted urgently!
Please, enable this function. It is very important for our tenant and admins.
Kyle Martin commented
Any update on possible date of implementation? Lacking this feature is complicating our On-boarding procedures not allowing us to have this delegated to our Service Desk personnel.
Tariq Vaid commented
Please enable this function. It is sad having to go back to the client and say I can't do this you have to do it from your end or create a global admin account for me.
Thomas Cannervall commented
You can use Privilieged Authentication Administrator Role to reset mfa. You can ofcourse use this with PIM or whatever.
Yesterday I set-up a reset flow with Automation Accounts (Azure Automate) -> power automate -> power app to handle reset of MFA by support agents.
I created a service account with Priviliged Authentication Admin role, imported msol module in the automation account and created a pretty basic ps runbook
[Parameter (Mandatory= $true, HelpMessage = "Email of the user to reset MFA for")]
[parameter(Mandatory = $true, HelpMessage = "Email of the support agent")]
$ErrorActionPreference = 'Stop'
$creds = Get-AutomationPSCredential -Name '<redacted>'
Connect-MsolService -Credential $creds
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $UserEmail
Write-Output "MFA was reset for user $UserEmail. Support agent who triggered the reset was $AuthUser"
$ErrorMessage = $_.Exception.Message
Write-Output "Reset MFA for user $UserEmail Failed. the error is: $ErrorMessage"
Had to give the support agents Automation Job Operator permissions on the Automation Account / Resource group and ofcourse access to app flow.
Hope it helps someone
Could you please complete it ASAP, it is going to make Global Admin a lot of work
This needs to be a thing, it is actually a joke. Service desks need to be able to set up MFA!
Shouldn't the functions a Global Administrator can do with MFA be redirected to the Security Administrator as well. This is a Security function, they can then further delegate out Privileged and Non-privileged Authentication Administrator role. At the moment is like saying only Enterprise Admins of AD can add\remove computer accounts to a domain. MS did you not think that O365\Azure -MFA would be rolled out to Enterprise organisations, come on, stop thinking small, THINK BIG!
Time to get this sorted out MS. How do you expect us to follow your own best practices when you don't give us the tools to do so?