Forum Discussion
Office 365 Admin Role Needed for MFA
- Feb 25, 2021
None of the "specialist" roles are able to manage users in the legacy MFA portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
I had the same issue and found this article.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
hope this explain this article will help.
Usually, your helpdesk will not go to the portal of MFA Per user this is for global admin role, they will reset the MFA, via Azure under Users > Select Users > Authentication Method and click Require re-register multifactor authentication button.
Your helpdesk needs a role, Global Reader Role - to access users and Authentication Admin Role so they can re-register the MFA.
Cheers!!
I looked at that article and gave my limited admin the Authentication Administrator role. I don't think you have to give them global reader as long as you provide the url to the azure ad portal. I don't see anywhere in azure ad where you can set MFA to enabled or enforced. Which is what I believe the original poster is looking for. I would also like to be able to set up a limited admin to do this task. Create the user, license the user, enable MFA. Then when the user first logs in they have to set up MFA. Am I missing something in Azure AD? Require re-register nor revoke authentication appears to change the Multi-Factor Auth Status to enabled for the user.
- GhostinHeadJan 24, 2023Copper Contributor
lspot I was all so trying to do this. So nothing short of God mode will do. Great job Microsoft.