Forum Discussion
Office 365 Admin Role Needed for MFA
- Feb 25, 2021
None of the "specialist" roles are able to manage users in the legacy MFA portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
The Authentication Administrator should do, for all general users.
Use the Privileged Authentication Administrator role for admin privileged accounts.
- brianzx7Oct 06, 2022Copper ContributorNope, like I said, I gave my employee all of the admin privileges including the Authentication Administrator and he could not change the MFA settings. Once I gave him global admin, he was able to do that task.
- mhikoletDec 06, 2022Copper Contributor
I had the same issue and found this article.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
hope this explain this article will help.Usually, your helpdesk will not go to the portal of MFA Per user this is for global admin role, they will reset the MFA, via Azure under Users > Select Users > Authentication Method and click Require re-register multifactor authentication button.
Your helpdesk needs a role, Global Reader Role - to access users and Authentication Admin Role so they can re-register the MFA.
Cheers!!
- lspotJan 04, 2023Copper Contributor
I looked at that article and gave my limited admin the Authentication Administrator role. I don't think you have to give them global reader as long as you provide the url to the azure ad portal. I don't see anywhere in azure ad where you can set MFA to enabled or enforced. Which is what I believe the original poster is looking for. I would also like to be able to set up a limited admin to do this task. Create the user, license the user, enable MFA. Then when the user first logs in they have to set up MFA. Am I missing something in Azure AD? Require re-register nor revoke authentication appears to change the Multi-Factor Auth Status to enabled for the user.