Feedback by UserVoice

How can we improve the tenant admin features O365?

Delegate permissions for managing MFA

To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.

Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.

2,833 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Jacob McGuire shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

131 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • Nicholas Van Der Schyff commented  ·   ·  Flag as inappropriate

    So I tried all of the suggestions and could not allow an no admin user to give MFA access.
    Eventually found this blog http://eskonr.com/2019/04/how-to-delegate-permissions-for-managing-mfa-in-azure-active-directory/

    All you need to do is add the user into "Privileged authentication administrator" on Azure AD and then you can enable MFA via Poweshell. Tested and now we can enable MFA for non admins

  • Scott Brant commented  ·   ·  Flag as inappropriate

    The new Azure Role for 'Authentication Administrator' alongside giving the account 'User Management Administrator' is now allowing to set accounts MFA without needing the account to be a Global Administrator.

    I did notice though, you cannot set it when creating your new user object (i.e using New-MsolUser) that it will not work. Instead you need to set this after the user object has been created.

    So here's some PS I used and works without issue, with the new starter or existing account having to register MFA on next login. Obviously use at your own risk and validate before running. I also use this within Azure Automation and it's running fine.

    #Get new User account
    $userID = Get-MsolUser -UserPrincipalName "UPN"

    #Set MFA Var's
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)

    #Set MFA to Enabled for user account

    Set-MsolUser -UserPrincipalName $userID.UserPrincipalName -StrongAuthenticationRequirements $sta

    Hope it helps.

  • Nahuel commented  ·   ·  Flag as inappropriate

    From Powershell:
    1 - Assign "Authentication Administrator for those you need:

    -Role ==> https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#authentication-administrator

    -Assign Role ==> https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-manage-roles-portal

    2 - Connect to Azure from powershell using the credential of your service desk:

    - Install Azure modules for powershell: https://blogs.technet.microsoft.com/solutions_advisory_board/2017/04/27/connect-to-office-365-services-with-multifactor-authentication-mfa-and-powershell/

    3 - From powershell

    Connect-AzureAD
    Connect-MsolService
    $user = Read-Host -Promt "UPN to reset the MFA"
    $user_get = Get-MsolUser -UserPrincipalName $user
    $user_get.StrongAuthenticationMethods
    Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user

  • Michael Dickerson commented  ·   ·  Flag as inappropriate

    Microsoft preaches us to limit Global Admins. Then they take a help desk task like this and limit it to Global admins only. Not very consistent.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Seriously, how long does it take to implement this? Wake up, Microsoft. This is ridiculous.

  • nechep commented  ·   ·  Flag as inappropriate

    @bthai Not working for me! User admin role not allowing to reset MFA i powershell. How its working for you?

    and when Authentication administrator role will be fully live and ready to use! i cant wait for that cr"p

  • bthai commented  ·   ·  Flag as inappropriate

    For those who haven't figured it out by now-- you can Enable/Disable MFA for users by using PowerShell. Only User Admin role is needed with the PowerShell workaround. (NO Global Admin role needed, I repeat, NO Global Admin role needed)

  • nechep commented  ·   ·  Flag as inappropriate

    guys, has anyone used Authentication administrator role? Is it working normally for you? Is it ok to use.

    Cuz as per MS - This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

  • Fred commented  ·   ·  Flag as inappropriate

    The steps are pretty clear in that exchangequery post I added some lines to give me and email confirmation:

    My PS code in the azure automation runbook:

    #Read in the value from the flow
    Param
    (
    [Parameter (Mandatory= $false)]

    [String] $name = ""
    )
    $UPN = $name+"@domainname"
    #connect with azure automation user
    $creds = Get-AutomationPSCredential -Name 'globalAdminUser'
    Connect-MsolService -Credential $creds

    #check status of the user
    $body = @()
    $body = $body+"User enabled already? (no output means no)"+(Get-MsolUser -UserPrincipalName $UPN).StrongAuthenticationRequirements
    $body += Write-output "-------------------------------------"

    #enable the user
    Import-Module MSOnline
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)
    Set-MsolUser -UserPrincipalName $UPN -StrongAuthenticationRequirements $sta

    #check and email out the status
    $body = $body+"Username is:"+$UPN
    $body += (Get-MsolUser -UserPrincipalName $UPN).StrongAuthenticationRequirements
    $body += "If 'Enabled' state you are good to go!"

    #email out results
    $body = $body | out-string
    Send-MailMessage -From "<from@blah>" -To "<email>", "<email>" -Subject "User MFA Enabled" -Body $body -SmtpServer "externally accessible email server"

  • Kevin commented  ·   ·  Flag as inappropriate

    Per Ryan Pool's comment below - this does work. I was just using the wrong button...One revokes MFA trust on all trusted machines, the OTHER (which is the right one) resets the MFA methods.

    If anyone gets that Flow automation below to work I'd like to know what your final cmdlet looks like in Azure. I couldn't get it to work - though I'm more interested to know so I can perform *other* cmdlets using an email address as an input.

  • Kevin commented  ·   ·  Flag as inappropriate

    PS...ahhh...I just had someone try the Revoke method as noted below...it claims it was successful yet, I can still log into the test account (that he did the revocation on) without issue using the same original MFA method. It didn't seem to reset the methods as I had hoped.

  • Kevin commented  ·   ·  Flag as inappropriate

    @Fred - Can you share the final runbook cmdlets you ended up using in that Flow link you mentioned below? I'm trying to get this to work as well and am tinkering with the cmdlets provided trying to get it to work (but can't).

  • Paris Wells commented  ·   ·  Flag as inappropriate

    Hi Fred,

    If you click on the user in Azure AD , go to Authentication Methods on the left hand side and you can revoke or require validation

← Previous 1 3 4 5 6 7

Feedback and Knowledge Base