Feedback by UserVoice

How can we improve the tenant admin features O365?

Delegate permissions for managing MFA

To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.

Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.

2,596 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Jacob McGuire shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    121 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • bthai commented  ·   ·  Flag as inappropriate

        For those who haven't figured it out by now-- you can Enable/Disable MFA for users by using PowerShell. Only User Admin role is needed with the PowerShell workaround. (NO Global Admin role needed, I repeat, NO Global Admin role needed)

      • nechep commented  ·   ·  Flag as inappropriate

        guys, has anyone used Authentication administrator role? Is it working normally for you? Is it ok to use.

        Cuz as per MS - This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

      • Fred commented  ·   ·  Flag as inappropriate

        The steps are pretty clear in that exchangequery post I added some lines to give me and email confirmation:

        My PS code in the azure automation runbook:

        #Read in the value from the flow
        Param
        (
        [Parameter (Mandatory= $false)]

        [String] $name = ""
        )
        $UPN = $name+"@domainname"
        #connect with azure automation user
        $creds = Get-AutomationPSCredential -Name 'globalAdminUser'
        Connect-MsolService -Credential $creds

        #check status of the user
        $body = @()
        $body = $body+"User enabled already? (no output means no)"+(Get-MsolUser -UserPrincipalName $UPN).StrongAuthenticationRequirements
        $body += Write-output "-------------------------------------"

        #enable the user
        Import-Module MSOnline
        $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
        $st.RelyingParty = "*"
        $st.State = "Enabled"
        $sta = @($st)
        Set-MsolUser -UserPrincipalName $UPN -StrongAuthenticationRequirements $sta

        #check and email out the status
        $body = $body+"Username is:"+$UPN
        $body += (Get-MsolUser -UserPrincipalName $UPN).StrongAuthenticationRequirements
        $body += "If 'Enabled' state you are good to go!"

        #email out results
        $body = $body | out-string
        Send-MailMessage -From "<from@blah>" -To "<email>", "<email>" -Subject "User MFA Enabled" -Body $body -SmtpServer "externally accessible email server"

      • Kevin commented  ·   ·  Flag as inappropriate

        Per Ryan Pool's comment below - this does work. I was just using the wrong button...One revokes MFA trust on all trusted machines, the OTHER (which is the right one) resets the MFA methods.

        If anyone gets that Flow automation below to work I'd like to know what your final cmdlet looks like in Azure. I couldn't get it to work - though I'm more interested to know so I can perform *other* cmdlets using an email address as an input.

      • Kevin commented  ·   ·  Flag as inappropriate

        PS...ahhh...I just had someone try the Revoke method as noted below...it claims it was successful yet, I can still log into the test account (that he did the revocation on) without issue using the same original MFA method. It didn't seem to reset the methods as I had hoped.

      • Kevin commented  ·   ·  Flag as inappropriate

        @Fred - Can you share the final runbook cmdlets you ended up using in that Flow link you mentioned below? I'm trying to get this to work as well and am tinkering with the cmdlets provided trying to get it to work (but can't).

      • Paris Wells commented  ·   ·  Flag as inappropriate

        Hi Fred,

        If you click on the user in Azure AD , go to Authentication Methods on the left hand side and you can revoke or require validation

      • Fred commented  ·   ·  Flag as inappropriate

        I got the azure automation+flow working as per Paris Wells' comment link below, took a while to figure out but it works. thanks!

      • Steve L commented  ·   ·  Flag as inappropriate

        What happened to "give users exactly what they need and nothing more". A Security Admin role, or even an elevated Help Desk should have the option to have a functional role added to provide the ability for MFA user setup, without having the keys to everything under the sun!!!

      • Anonymous commented  ·   ·  Flag as inappropriate

        I ******* hate this product and it makes me wanna commit suicide. I dislike every aspect of this **** even existing and it basically very bad in any possible way. Stupid idiot **** i do never ever want to use anything like this ever again.

      • Anonymous commented  ·   ·  Flag as inappropriate

        I ******* hate this product and it makes me wanna commit suicide. I dislike every aspect of this **** even existing and it basically very bad in any possible way. Stupid idiot **** i do never ever want to use anything like this ever again.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Microsoft scoring says tom limit Global Admins to less than five. Then Microsoft forces you to have more than that by not giving you the roles to accomplish that. "You get global admin access! You get global admin access! You get global admin access"

      ← Previous 1 3 4 5 6 7

      Feedback and Knowledge Base