Delegate permissions for managing MFA
To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.
Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.
We have heard the feedback and we’ve added it to our upcoming investments. While we do not have a date for this yet, we hope to be able to provide one soon. Thank you for the continued feedback.
Kelvin Tegelaar commented
This has been resolved, just not announced to the big public yet.
Go to partner portal
Azure Active Directory
Click on users
Click on Manage Multi-factor Authentication.
Manage MFA for users in that tenant.
Just got off the phone with Microsoft CSP Premier support and they directed me here. I love that Microsoft wants to enable us to manage our clients from within our own accounts but they cannot expect us to execute without the ability to do so. Enabling MFA is just one of the many things that I cannot do without a tenant specific global admin. Yes, I can create a generic global admin for each client like I used to have, but then multiple technicians on my staff all share that account and cannot easily share MFA. The alternative to create a technician global admin with MFA for each client tenant is just not realistic. I really want to drink the kool-aid but Microsoft.... you forgot to stir it!!
Definitely need this as a matter of urgency. It's three years since this was 'added to your upcoming investments'. This is a critical role that is needed.
Yes I agree and request same from Microsoft. These limited admin roles should be available. we needed to give this permissions to our helpdesk team members to update user's authentication contact information under MFA (to receive OTP) but unfortunately only global admin could do this.
Brajesh Panda commented
Specially MFA Fraud stuff, block, unblock.
Nate C commented
Hopefully the activate or deactivate MFA function will be able to be delegated to non global admins soon. Microsoft please add timeline for this.
Authentication Administrator role allows to change MFA settings on existing MFA users but NOT to activate or deactivate MFA on a given user. The Global Admin role is still necessary to actvate MFA on users.
Looking forward to at last getting such role...
Phillip Lyle commented
All, this is currently in public preview and you can use it now. Authentication Administrator role.
Tracy S. commented
It's almost impossible to buy office 365. I have been trying to buy this for over 2 hours on MS"s website for support. I give up!! If you want to sell your office software or lease it or whatever.
Call Me....... 812-670-0753. Your website is not any help on this. I don't believe it ever did accept a password or even a user name on your web site. My Email is: email@example.com
Thanks for assistance......... Tracy Sweny PH: 812-670-0753
Robert Lee commented
This has been a request for 3 years... They even said it was on their roadmap back in 2017... Come on guys.
'added it to our upcoming investments' after 3 years! can this one get little more love, please
Any news on that?
jeremy finney commented
I got them to change the doco
And I maintain it can’t be ‘by design’ because it is a contradiction to call something ‘equivalent’ that is clearly not ‘equivalent’. This needs to be brought to the attention of a product manager in charge of o365 “delegated administration for microsoft partners”.
Think it through… why would partners utilize the “full DPA administration” role when partners are going to have to maintain separate ‘global admin’ accounts… for each o365 tenant…and in each tenant, 1 GA account for each support technician since these GA accounts need to be MFA enabled. 1 MS partner with 10 techs and 50 tenancies to manage... that’s 500 extra accounts just to administrate MFA functionality!?
If you think through the implications of this limitation you realize it is not a ‘feature request’ this is a deal breaker for o365 delegated administration.
Is this still on the works?
Nicholas Van Der Schyff commented
So I tried all of the suggestions and could not allow an no admin user to give MFA access.
Eventually found this blog http://eskonr.com/2019/04/how-to-delegate-permissions-for-managing-mfa-in-azure-active-directory/
All you need to do is add the user into "Privileged authentication administrator" on Azure AD and then you can enable MFA via Poweshell. Tested and now we can enable MFA for non admins
Scott Brant commented
The new Azure Role for 'Authentication Administrator' alongside giving the account 'User Management Administrator' is now allowing to set accounts MFA without needing the account to be a Global Administrator.
I did notice though, you cannot set it when creating your new user object (i.e using New-MsolUser) that it will not work. Instead you need to set this after the user object has been created.
So here's some PS I used and works without issue, with the new starter or existing account having to register MFA on next login. Obviously use at your own risk and validate before running. I also use this within Azure Automation and it's running fine.
#Get new User account
$userID = Get-MsolUser -UserPrincipalName "UPN"
#Set MFA Var's
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
#Set MFA to Enabled for user account
Set-MsolUser -UserPrincipalName $userID.UserPrincipalName -StrongAuthenticationRequirements $sta
Hope it helps.
Use CAPs for this instead. Problem solved.
1 - Assign "Authentication Administrator for those you need:
-Role ==> https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#authentication-administrator
2 - Connect to Azure from powershell using the credential of your service desk:
- Install Azure modules for powershell: https://blogs.technet.microsoft.com/solutions_advisory_board/2017/04/27/connect-to-office-365-services-with-multifactor-authentication-mfa-and-powershell/
3 - From powershell
$user = Read-Host -Promt "UPN to reset the MFA"
$user_get = Get-MsolUser -UserPrincipalName $user
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user
Michael Dickerson commented
Microsoft preaches us to limit Global Admins. Then they take a help desk task like this and limit it to Global admins only. Not very consistent.
Seriously, how long does it take to implement this? Wake up, Microsoft. This is ridiculous.