Hi @Abhijeet Kumar Sinha,
The problem with the authentication admin and management of mfa is that the role is too powerful. Users with this role can do much more than only manage mfa. Many of the requests as well in uservoice cope with the problem that they need to delegate e.g. reset of mfa to user helpdesk stuff.
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
Important
Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. Through this path an Authentication Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
- Security Group and Office 365 Group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
- Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
Microsoft
