Delegate permissions for managing MFA
To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.
Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.
Jacob McGuire
shared this idea
We have heard the feedback and we’ve added it to our upcoming investments. While we do not have a date for this yet, we hope to be able to provide one soon. Thank you for the continued feedback.
160 comments
-
Anonymous
commented
This needs to be adjusted urgently!
-
Anonymous
commented
Please, enable this function. It is very important for our tenant and admins.
-
Kyle Martin
commented
Any update on possible date of implementation? Lacking this feature is complicating our On-boarding procedures not allowing us to have this delegated to our Service Desk personnel.
-
Tariq Vaid
commented
Please enable this function. It is sad having to go back to the client and say I can't do this you have to do it from your end or create a global admin account for me.
-
Thomas Cannervall
commented
You can use Privilieged Authentication Administrator Role to reset mfa. You can ofcourse use this with PIM or whatever.
Yesterday I set-up a reset flow with Automation Accounts (Azure Automate) -> power automate -> power app to handle reset of MFA by support agents.
I created a service account with Priviliged Authentication Admin role, imported msol module in the automation account and created a pretty basic ps runbook
Param (
[Parameter (Mandatory= $true, HelpMessage = "Email of the user to reset MFA for")]
[String]$UserEmail,
[parameter(Mandatory = $true, HelpMessage = "Email of the support agent")]
[string]$AuthUser
)
$ErrorActionPreference = 'Stop'
Try {
$creds = Get-AutomationPSCredential -Name '<redacted>'
Connect-MsolService -Credential $creds
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $UserEmail
Write-Output "MFA was reset for user $UserEmail. Support agent who triggered the reset was $AuthUser"
}
Catch {
$ErrorMessage = $_.Exception.Message
Write-Output "Reset MFA for user $UserEmail Failed. the error is: $ErrorMessage"
}Had to give the support agents Automation Job Operator permissions on the Automation Account / Resource group and ofcourse access to app flow.
Hope it helps someone
-
Stanley
commented
Could you please complete it ASAP, it is going to make Global Admin a lot of work
-
Anonymous
commented
This needs to be a thing, it is actually a joke. Service desks need to be able to set up MFA!
-
Ratz
commented
Shouldn't the functions a Global Administrator can do with MFA be redirected to the Security Administrator as well. This is a Security function, they can then further delegate out Privileged and Non-privileged Authentication Administrator role. At the moment is like saying only Enterprise Admins of AD can add\remove computer accounts to a domain. MS did you not think that O365\Azure -MFA would be rolled out to Enterprise organisations, come on, stop thinking small, THINK BIG!
-
Brad
commented
Time to get this sorted out MS. How do you expect us to follow your own best practices when you don't give us the tools to do so?
-
Anonymous
commented
conditional access policies only solves a part of the issue. Being able to delegate out permissions for support teams to be able to reset a users MFA registrations (Require re-register MFA) is important for support teams to be able to assist users with registering new devices (eg. phone replacement ect)
-
Fred
commented
The solution to this is to convert over to conditional access policies and manage MFA via an AD group. We started the migration at our company from classic to CA policies.
-
C H
commented
I can't believe this is almost 4 years old. Right now only Global Admins can do this, so I have to interrupt my day just to reset tokens every time someone wants a new phone. This needs to be more than just "In the plans".
-
Anonymous
commented
OMG is this still not ready? How limited is the design mentality at Microsoft to constantly have these very odd limitations? This should have been configurable from day 1.
-
Jesse Slocum
commented
Hello Microsoft,
Can we please get an update on this request?
Regards,
Jesse
-
Antony
commented
No Solution after 4 years on this UserVoice and other similar requests??
Need to be able to delegate this admin activity and not have to engage the Global Admins each time. ESPECIALLY after MS recommends such a low number of GA's. -
Wil
commented
any update on this?
-
Kelvin Tegelaar
commented
This has been resolved, just not announced to the big public yet.
Instructions:Go to partner portal
Find client
Administer services
Azure Active Directory
Click on users
Click on Manage Multi-factor Authentication.
Manage MFA for users in that tenant.
The shortcut to get there would be https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx?tenantId=TENANTGUIDHERE&culture=en-us&requestInitiatedContext=users
-
Jeff
commented
Just got off the phone with Microsoft CSP Premier support and they directed me here. I love that Microsoft wants to enable us to manage our clients from within our own accounts but they cannot expect us to execute without the ability to do so. Enabling MFA is just one of the many things that I cannot do without a tenant specific global admin. Yes, I can create a generic global admin for each client like I used to have, but then multiple technicians on my staff all share that account and cannot easily share MFA. The alternative to create a technician global admin with MFA for each client tenant is just not realistic. I really want to drink the kool-aid but Microsoft.... you forgot to stir it!!
-
Anonymous
commented
Definitely need this as a matter of urgency. It's three years since this was 'added to your upcoming investments'. This is a critical role that is needed.
-
Anonymous
commented
Yes I agree and request same from Microsoft. These limited admin roles should be available. we needed to give this permissions to our helpdesk team members to update user's authentication contact information under MFA (to receive OTP) but unfortunately only global admin could do this.