Feedback by UserVoice

How can we improve the tenant admin features O365?

Delegate permissions for managing MFA

To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.

Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.

2,130 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Jacob McGuire shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    95 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Felix Alvarado commented  ·   ·  Flag as inappropriate

        this would definitely be beneficial to have a non-admin do this function, as depending on the urgency of the request and the channel is has to go through, you could be waiting, while your end-user requires this to be unblocked ASAP.

      • A commented  ·   ·  Flag as inappropriate

        Seems like feedback.azure.com gets less votes, but better feedback:

        April 2018: "We aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA."
        https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31266781-allow-user-account-administrator-to-enable-mfa-for

        And November 2017: "This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role."
        https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10072839-allow-the-user-admin-role-to-enable-disable-mfa-fo

      • Frank Jones commented  ·   ·  Flag as inappropriate

        This would be great to also allow a service desk resource to unblock an account that has denied MFA accidentally.

      • Anonymous commented  ·   ·  Flag as inappropriate

        This is needed for partner delegated admins too - we can't change MFA settings using our delegated admin rights as a partner of our customers, and have to create a global admin in each tenant to do this. Very irritating.

      • Anne O'Day commented  ·   ·  Flag as inappropriate

        Seems to me like this has taken so long because what they're really working toward is self-service MFA reset, taking the load off of both global admins and helpdesk personnel. But that's only from hints I've seen on tweets. Try searching for new registration experience for Azure and Office 365.

      • Brent commented  ·   ·  Flag as inappropriate

        It's unbelievable this request has been floating around since 2016. What do you guys do all day? This seems like a simple request. It's obvious you don't care about your enterprise customer base. Because we, unlike you have a ton of work to do and resetting MFA at the Global Admin level is not one of them.

      • Charles commented  ·   ·  Flag as inappropriate

        Unfortunately, after long time waiting for this to be added to the roadmap, I can only agree with Bart's comment below. The uservoice feedback loop is not working.

      • Bart Brinkman commented  ·   ·  Flag as inappropriate

        I'll comment on this because it's ALSO listed in the Azure AD UserVoice. I'll post the same thing I posted there:
        So.. really burning the midnight oil on this one right guys.. This is exactly the reason the UserVoice is a JOKE and I've basically stopped participating in it. It's simply a measuring stick of how little MS really cares about what we, the admins, want/need and how little MS cares to do it.
        MS only cares about shot gunning out cool new services they can up sell us on.. if it's not a new SKU who cares about fixing basic flaws in the workflow. That does not make $$.

      • Anonymous commented  ·   ·  Flag as inappropriate

        unbelievable...
        please Microsoft, at least share with us your road map so that we can all see how many sharp bends, dead ends, traffic lights, tunnels, ferry crossings, roadworks etc etc etc there are between here and the solution so eagerly awaited

      • Anonymous commented  ·   ·  Flag as inappropriate

        we need this asap, we have to depend on admins with global admin permission to enable / disable MFA for users every time. This is inconvenience to manage for larger user base. Hope Microsoft provides some solution asap.

      • Jeremiah Moberly commented  ·   ·  Flag as inappropriate

        We would love to be able to delegate this role asap. We have only two Global Admins (one of which is a manager, not a tech) and a staff of over 400. Our helpdesk staff should be able to manage this for users having trouble. I'm surprised this is still being requested after two years, with no updates or timeline given!

      • Jose Rivera commented  ·   ·  Flag as inappropriate

        We need that ASAP... We managed thousands of accounts with MFA... and our Help Desk Team cannot do that

      • Anonymous commented  ·   ·  Flag as inappropriate

        agreed. This feature is definitely required. Its crazy that I have to give Global admin rights to lower tier support personnel

      • Evan Mintzer commented  ·   ·  Flag as inappropriate

        I was told by Microsoft that it would be implemented by Q4 2017 - it is now Q3 2018 and still not available. Forcing Global Admin privileges to do a simple task is horrible for security.

      ← Previous 1 3 4 5

      Feedback and Knowledge Base