Delegate permissions for managing MFA
To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.
Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.
We have heard the feedback and we’ve added it to our upcoming investments. While we do not have a date for this yet, we hope to be able to provide one soon. Thank you for the continued feedback.
Jonathan L'Archevêque commented
Felix Alvarado commented
this would definitely be beneficial to have a non-admin do this function, as depending on the urgency of the request and the channel is has to go through, you could be waiting, while your end-user requires this to be unblocked ASAP.
Seems like feedback.azure.com gets less votes, but better feedback:
April 2018: "We aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA."
And November 2017: "This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role."
Frank Jones commented
This would be great to also allow a service desk resource to unblock an account that has denied MFA accidentally.
This is needed for partner delegated admins too - we can't change MFA settings using our delegated admin rights as a partner of our customers, and have to create a global admin in each tenant to do this. Very irritating.
Anne O'Day commented
Seems to me like this has taken so long because what they're really working toward is self-service MFA reset, taking the load off of both global admins and helpdesk personnel. But that's only from hints I've seen on tweets. Try searching for new registration experience for Azure and Office 365.
David Barr commented
What Brent said.
It's unbelievable this request has been floating around since 2016. What do you guys do all day? This seems like a simple request. It's obvious you don't care about your enterprise customer base. Because we, unlike you have a ton of work to do and resetting MFA at the Global Admin level is not one of them.
Unfortunately, after long time waiting for this to be added to the roadmap, I can only agree with Bart's comment below. The uservoice feedback loop is not working.
Bart Brinkman commented
I'll comment on this because it's ALSO listed in the Azure AD UserVoice. I'll post the same thing I posted there:
So.. really burning the midnight oil on this one right guys.. This is exactly the reason the UserVoice is a JOKE and I've basically stopped participating in it. It's simply a measuring stick of how little MS really cares about what we, the admins, want/need and how little MS cares to do it.
MS only cares about shot gunning out cool new services they can up sell us on.. if it's not a new SKU who cares about fixing basic flaws in the workflow. That does not make $$.
please Microsoft, at least share with us your road map so that we can all see how many sharp bends, dead ends, traffic lights, tunnels, ferry crossings, roadworks etc etc etc there are between here and the solution so eagerly awaited
we need this asap, we have to depend on admins with global admin permission to enable / disable MFA for users every time. This is inconvenience to manage for larger user base. Hope Microsoft provides some solution asap.
Jeremiah Moberly commented
We would love to be able to delegate this role asap. We have only two Global Admins (one of which is a manager, not a tech) and a staff of over 400. Our helpdesk staff should be able to manage this for users having trouble. I'm surprised this is still being requested after two years, with no updates or timeline given!
Jose Rivera commented
We need that ASAP... We managed thousands of accounts with MFA... and our Help Desk Team cannot do that
Any update on this? Really need to get something in place.
agreed. This feature is definitely required. Its crazy that I have to give Global admin rights to lower tier support personnel
Cory Lawson commented
Richard Baldock commented
This is also logged via the Azure improvements portal > https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10072839-allow-the-user-admin-role-to-enable-disable-mfa-fo?page=1&per_page=20
Lets get moving on this Microsoft!
Karl Mathern commented
I agree this should be an option to assign MFA rights by itself without the need to be a GA