Forum Discussion
ChrisP1975
Feb 24, 2021Copper Contributor
Office 365 Admin Role Needed for MFA
I would like to assign members of the help desk access to manage MFA for non-admin users. I already assigned the Authentication admin role and this partially works. Right now the help desk can go i...
- Feb 25, 2021
None of the "specialist" roles are able to manage users in the legacy MFA portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
mhikolet
Dec 06, 2022Copper Contributor
I had the same issue and found this article.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
hope this explain this article will help.
Usually, your helpdesk will not go to the portal of MFA Per user this is for global admin role, they will reset the MFA, via Azure under Users > Select Users > Authentication Method and click Require re-register multifactor authentication button.
Your helpdesk needs a role, Global Reader Role - to access users and Authentication Admin Role so they can re-register the MFA.
Cheers!!
lspot
Jan 04, 2023Copper Contributor
I looked at that article and gave my limited admin the Authentication Administrator role. I don't think you have to give them global reader as long as you provide the url to the azure ad portal. I don't see anywhere in azure ad where you can set MFA to enabled or enforced. Which is what I believe the original poster is looking for. I would also like to be able to set up a limited admin to do this task. Create the user, license the user, enable MFA. Then when the user first logs in they have to set up MFA. Am I missing something in Azure AD? Require re-register nor revoke authentication appears to change the Multi-Factor Auth Status to enabled for the user.
- GhostinHeadJan 24, 2023Copper Contributor
lspot I was all so trying to do this. So nothing short of God mode will do. Great job Microsoft.