Forum Discussion
ChrisP1975
Feb 24, 2021Copper Contributor
Office 365 Admin Role Needed for MFA
I would like to assign members of the help desk access to manage MFA for non-admin users. I already assigned the Authentication admin role and this partially works. Right now the help desk can go i...
- Feb 25, 2021
None of the "specialist" roles are able to manage users in the legacy MFA portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
acerimeli
Feb 27, 2023Copper Contributor
I found a solution to this.
From this post:https://learn.microsoft.com/en-us/answers/questions/325505/allow-support-users-to-enable-mfa-for
"To allow help desk users to enable per user MFA via Multi-factor Authentication Portal, you need to assign both directory roles mentioned below:
Authentication Policy Administrator: This role will allow access to Multi-factor Authentication Portal but won't allow enabling/disabling per-user MFA.
Privileged Authentication Administrator: This role allows enabling/disabling per-user MFA."
From this post:https://learn.microsoft.com/en-us/answers/questions/325505/allow-support-users-to-enable-mfa-for
"To allow help desk users to enable per user MFA via Multi-factor Authentication Portal, you need to assign both directory roles mentioned below:
Authentication Policy Administrator: This role will allow access to Multi-factor Authentication Portal but won't allow enabling/disabling per-user MFA.
Privileged Authentication Administrator: This role allows enabling/disabling per-user MFA."
- HamzaDurraniApr 16, 2024Copper Contributor
It worked for me thanks acerimeli
- Johann1575Dec 01, 2023Copper ContributorThis works perfectly. Just send them the link to the legacy MFA portal and they can enable/disable MFA, and also enable/disable "Require selected users to provide contact methods again". They can't "Delete all existing app passwords generated by the selected users" though. Only Global Admins it seems.
- lspotMar 06, 2023Copper Contributoracerimeli's solution worked for me. Although you have to give them the path to the MFA portal. https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx
The link doesn't show up at the top of the user list like I'm used to seeing as a global admin.
The Privileged Authentication Administrator Role seems pretty innocuous, but curious what people think of the Authentication Policy Administrator. Is that just big words for can enable and disable MFA for anyone in the tenant?