Forum Discussion
non-admin help desk manage user mfa settings
I have a requirement to grant the ability to provide our Help Desk staff the ability to enable or disable a user's MFA settings in Entra Admin Centre -> Users-> User and MFA. Definitely we do not want to grant the user Global Administrators membership. We added some members to the following roles but still they cannot change the setting -> User Administrator, Password Administrator, and Authentication Administrator. Any help is appreciated here. I am also open to custom roles that will work to accomplish this action.
2 Replies
Hi Razzi_Medina,
Could I ask for some clarity on which screen your talking about, and what's not working for you?
Based on your requirements, the Authentication Administrator role should have provided your Helpdesk staff with exactly what you've outlined - with the important caveat that they cannot change the MFA settings of another privileged user (meaning you need to be sure they're testing against a "normal" user):
Assuming you are talking about the screen below, then I have no problem changing any of these user settings when I'm a member of Authentication Administrators (with zero other Entra RBAC roles).
Cheers,
Lain
Hi Razzi,
To empower your Help Desk staff to manage users' Multi-Factor Authentication (MFA) settings in the Microsoft Entra Admin Center without assigning the Global Administrator role, consider the following approaches:
- Assign the Authentication Administrator Role:
The Authentication Administrator role permits users to manage authentication methods for non-administrative users. This includes adding or modifying phone numbers used for MFA, resetting passwords, requiring users to re-register for MFA, and revoking existing MFA sessions.
Limitations:
- This role does not grant permissions to manage authentication methods for users with administrative roles.
- Assign the Privileged Authentication Administrator Role:
The Privileged Authentication Administrator role extends the capabilities of the Authentication Administrator by allowing management of authentication methods for all users, including those with administrative roles.
- Create a Custom Role:
If the built-in roles provide more permissions than desired, you can create a custom role tailored to your organization's needs. However, as of the latest updates, certain permissions related to managing user authentication methods may not be available for selection when creating custom roles. It's essential to verify the current availability of these permissions in your Microsoft Entra environment.
Steps to Create a Custom Role:
- Sign in to the Microsoft Entra admin center with at least the Privileged Role Administrator role.
- Navigate to Identity > Roles & admins > Roles & admins.
- Select + New custom role.
- On the Basics tab, provide a name and description for the role.
- On the Permissions tab, select the necessary permissions related to managing user authentication methods.
- Review and Create the role.
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-create?tabs=admin-center
Recommendation:
Assigning the Authentication Administrator role is a practical approach to grant Help Desk staff the necessary permissions to manage MFA settings for non-administrative users. If there's a need to manage MFA settings for all users, including administrators, the Privileged Authentication Administrator role would be more appropriate. Always ensure that roles are assigned following the principle of least privilege to maintain security.
