Delegate permissions for managing MFA
To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.
Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.
We have heard the feedback and we’ve added it to our upcoming investments. While we do not have a date for this yet, we hope to be able to provide one soon. Thank you for the continued feedback.
Michael Dickerson commented
Joining the choir here, but as everyone says, we only have a few global admins (per Microsoft's specific suggestions surrounding security), so that means that only 3 of us can enable/disable MFA. This means that every new user and every dept we try to switch requires one of us to be present when rolling it out, when this should be something our helpdesk can do.
It would better if the user can also enable MFA himself !!!
Still waiting Microsoft!!.. but for those looking for a workaround...
Create an Azure Automation runbook that runs using a service account that is a global admin.
That runbook runs a powershell script that resets MFA preferences.
Create an MS Flow that triggers the runbook.
Share the MS flow with your support staff.
The support staff opens MS flow, enters the user's upn and runs it.
The user's upn is passed to the runbook and the MFA preferences are reset.
Next time user logs into O365, user is prompted to reregister new preferences.
You can easily follow the steps in the link below and just modify it to reset MFA instead of resetting password.
The command to reset mfa is: Set-MSOLUser -UserPrincipalName $UserPrincipalName -StrongAuthenticationMethods @()
W have started a project a roll out many services to our users. We will roll out MFA first as it will provide a further layer of protection for cloud services such Teams and Sharepoint Online. We need our service desk to have delegated access for MFA administration.
Jonathan L'Archevêque commented
Felix Alvarado commented
this would definitely be beneficial to have a non-admin do this function, as depending on the urgency of the request and the channel is has to go through, you could be waiting, while your end-user requires this to be unblocked ASAP.
Seems like feedback.azure.com gets less votes, but better feedback:
April 2018: "We aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA."
And November 2017: "This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role."
Frank Jones commented
This would be great to also allow a service desk resource to unblock an account that has denied MFA accidentally.
This is needed for partner delegated admins too - we can't change MFA settings using our delegated admin rights as a partner of our customers, and have to create a global admin in each tenant to do this. Very irritating.
Anne O'Day commented
Seems to me like this has taken so long because what they're really working toward is self-service MFA reset, taking the load off of both global admins and helpdesk personnel. But that's only from hints I've seen on tweets. Try searching for new registration experience for Azure and Office 365.
David Barr commented
What Brent said.
It's unbelievable this request has been floating around since 2016. What do you guys do all day? This seems like a simple request. It's obvious you don't care about your enterprise customer base. Because we, unlike you have a ton of work to do and resetting MFA at the Global Admin level is not one of them.
Unfortunately, after long time waiting for this to be added to the roadmap, I can only agree with Bart's comment below. The uservoice feedback loop is not working.
Bart Brinkman commented
I'll comment on this because it's ALSO listed in the Azure AD UserVoice. I'll post the same thing I posted there:
So.. really burning the midnight oil on this one right guys.. This is exactly the reason the UserVoice is a JOKE and I've basically stopped participating in it. It's simply a measuring stick of how little MS really cares about what we, the admins, want/need and how little MS cares to do it.
MS only cares about shot gunning out cool new services they can up sell us on.. if it's not a new SKU who cares about fixing basic flaws in the workflow. That does not make $$.
please Microsoft, at least share with us your road map so that we can all see how many sharp bends, dead ends, traffic lights, tunnels, ferry crossings, roadworks etc etc etc there are between here and the solution so eagerly awaited
we need this asap, we have to depend on admins with global admin permission to enable / disable MFA for users every time. This is inconvenience to manage for larger user base. Hope Microsoft provides some solution asap.
Jeremiah Moberly commented
We would love to be able to delegate this role asap. We have only two Global Admins (one of which is a manager, not a tech) and a staff of over 400. Our helpdesk staff should be able to manage this for users having trouble. I'm surprised this is still being requested after two years, with no updates or timeline given!
Jose Rivera commented
We need that ASAP... We managed thousands of accounts with MFA... and our Help Desk Team cannot do that
Any update on this? Really need to get something in place.
agreed. This feature is definitely required. Its crazy that I have to give Global admin rights to lower tier support personnel