Delegate permissions for managing MFA
To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.
Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.
We have heard the feedback and we’ve added it to our upcoming investments. While we do not have a date for this yet, we hope to be able to provide one soon. Thank you for the continued feedback.
Brajesh Panda commented
Specially MFA Fraud stuff, block, unblock.
Nate C commented
Hopefully the activate or deactivate MFA function will be able to be delegated to non global admins soon. Microsoft please add timeline for this.
Authentication Administrator role allows to change MFA settings on existing MFA users but NOT to activate or deactivate MFA on a given user. The Global Admin role is still necessary to actvate MFA on users.
Looking forward to at last getting such role...
Phillip Lyle commented
All, this is currently in public preview and you can use it now. Authentication Administrator role.
Tracy S. commented
It's almost impossible to buy office 365. I have been trying to buy this for over 2 hours on MS"s website for support. I give up!! If you want to sell your office software or lease it or whatever.
Call Me....... 812-670-0753. Your website is not any help on this. I don't believe it ever did accept a password or even a user name on your web site. My Email is: email@example.com
Thanks for assistance......... Tracy Sweny PH: 812-670-0753
Robert Lee commented
This has been a request for 3 years... They even said it was on their roadmap back in 2017... Come on guys.
'added it to our upcoming investments' after 3 years! can this one get little more love, please
Any news on that?
jeremy finney commented
I got them to change the doco
And I maintain it can’t be ‘by design’ because it is a contradiction to call something ‘equivalent’ that is clearly not ‘equivalent’. This needs to be brought to the attention of a product manager in charge of o365 “delegated administration for microsoft partners”.
Think it through… why would partners utilize the “full DPA administration” role when partners are going to have to maintain separate ‘global admin’ accounts… for each o365 tenant…and in each tenant, 1 GA account for each support technician since these GA accounts need to be MFA enabled. 1 MS partner with 10 techs and 50 tenancies to manage... that’s 500 extra accounts just to administrate MFA functionality!?
If you think through the implications of this limitation you realize it is not a ‘feature request’ this is a deal breaker for o365 delegated administration.
Is this still on the works?
Nicholas Van Der Schyff commented
So I tried all of the suggestions and could not allow an no admin user to give MFA access.
Eventually found this blog http://eskonr.com/2019/04/how-to-delegate-permissions-for-managing-mfa-in-azure-active-directory/
All you need to do is add the user into "Privileged authentication administrator" on Azure AD and then you can enable MFA via Poweshell. Tested and now we can enable MFA for non admins
Scott Brant commented
The new Azure Role for 'Authentication Administrator' alongside giving the account 'User Management Administrator' is now allowing to set accounts MFA without needing the account to be a Global Administrator.
I did notice though, you cannot set it when creating your new user object (i.e using New-MsolUser) that it will not work. Instead you need to set this after the user object has been created.
So here's some PS I used and works without issue, with the new starter or existing account having to register MFA on next login. Obviously use at your own risk and validate before running. I also use this within Azure Automation and it's running fine.
#Get new User account
$userID = Get-MsolUser -UserPrincipalName "UPN"
#Set MFA Var's
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
#Set MFA to Enabled for user account
Set-MsolUser -UserPrincipalName $userID.UserPrincipalName -StrongAuthenticationRequirements $sta
Hope it helps.
Use CAPs for this instead. Problem solved.
1 - Assign "Authentication Administrator for those you need:
-Role ==> https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#authentication-administrator
2 - Connect to Azure from powershell using the credential of your service desk:
- Install Azure modules for powershell: https://blogs.technet.microsoft.com/solutions_advisory_board/2017/04/27/connect-to-office-365-services-with-multifactor-authentication-mfa-and-powershell/
3 - From powershell
$user = Read-Host -Promt "UPN to reset the MFA"
$user_get = Get-MsolUser -UserPrincipalName $user
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user
Michael Dickerson commented
Microsoft preaches us to limit Global Admins. Then they take a help desk task like this and limit it to Global admins only. Not very consistent.
Seriously, how long does it take to implement this? Wake up, Microsoft. This is ridiculous.
The Auth Admin role also does not work
@nechep - check the below similar uservoice thread where others are confirming it works
@bthai Not working for me! User admin role not allowing to reset MFA i powershell. How its working for you?
and when Authentication administrator role will be fully live and ready to use! i cant wait for that cr"p
For those who haven't figured it out by now-- you can Enable/Disable MFA for users by using PowerShell. Only User Admin role is needed with the PowerShell workaround. (NO Global Admin role needed, I repeat, NO Global Admin role needed)