cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Home

Delegate Azure AD MFA administration

%3CLINGO-SUB%20id%3D%22lingo-sub-323965%22%20slang%3D%22en-US%22%3EDelegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-323965%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20community%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20have%20your%20feedback%20as%20we%20are%20currently%20looking%20to%20delegate%20some%20tasks%20under%20Azure%20MFA%20like%20disable%20users%20and%20upload%20OATH%20Tokens.%3C%2FP%3E%3CP%3ECurrently%20the%20least%20privileged%20role%20to%20perform%20this%20actions%20is%20a%20Global%20Administrator%20account%2C%20I%20was%20checking%20the%20Azure%20Roadmap%20and%20I%20couldn't%20find%20details%20to%20confirm%20if%20this%20feature%20is%20planned%20to%20be%20rolled%20out.%3C%2FP%3E%3CP%3EDo%20you%20know%20if%20this%20is%20planned%20to%26nbsp%3Barrive%20in%20the%20near%20future%3F%2C%20any%20ETA%20or%20to%20be%20part%20of%20a%20preview%20would%20be%20interesting.%3C%2FP%3E%3CP%3EAny%20comment%20is%20welcome!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-323965%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edelegate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358975%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358975%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20update%20on%20the%20release%20date%20for%20this%3F%3C%2FP%3E%3CP%3EWas%20mentioned%20in%20December%20that%20it%20was%20in%20private%20preview%20with%20more%20new%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325101%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325101%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Vasil!%3C%2FP%3E%3CP%3EJust%20to%20make%20sure%20I'm%20checking%20at%20the%20right%20place%2C%20any%20updates%20about%20this%20preview%20should%20be%20available%20at%20the%20Azure%20blog%20right%3F.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards.%3C%2FP%3E%3CP%3ECristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325099%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325099%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Steven%3C%2FP%3E%3CP%3EReally%20useful%20insights!%2C%20we%20have%20Conditional%20Access%20rules%20in%20place%20to%20apply%20MFA.%3C%2FP%3E%3CP%3EThe%20thing%20is%20that%20some%20users%20are%20marked%20as%20Enabled%20under%20MFA%2C%20we%20need%20to%20change%20the%20status%20to%20Disabled%20in%20order%20to%20get%20CA%20rules%20apllied%20correctly%3B%20also%20some%20users%20have%20a%20Hardware%20token%20that%20needs%20to%20be%20assigned%20under%20AAD%20-MFA%20Interface.%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20delegate%20this%20tasks%20with%20a%20least%20privileged%20role%20than%20Global%20Admin.%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3ECristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324135%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324135%22%20slang%3D%22en-US%22%3E%3CP%3EA%20new%20API%20is%20coming%20(in%20Preview%20currently)%20that%20will%20finally%20allow%20us%20to%20delegate%2Fautomate%20Azure%20MFA%20management.%20No%20ETA%20has%20been%20shared%20yet%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-323985%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-323985%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20require%20MFA%20via%20a%20conditional%20access%20policy%20you%20can%20define%20included%20and%20excluded%20groups%2C%20then%20delegate%20the%20management%20of%20those%20groups.%20We%20also%20use%20Flow%20to%20remove%20people%20from%20an%20exclude%20group%20each%20night%20so%20they%20only%20get%201%20days%20access%20to%20get%20themselves%20back.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-464324%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-464324%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bany%20updates%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688326%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688326%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20updates%20on%20this%20feature%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722551%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722551%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F359136%22%20target%3D%22_blank%22%3E%40tweso%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EToday%20I%20found%20out%20that%20there's%20a%20new%20role%20called%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%23authentication-administrator%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAuthentication%20Administrator%3C%2FA%3E%20in%20preview.%3C%2FP%3E%3CP%3EThis%20role%20allows%20you%20to%20perform%20several%20tasks%20like%3A%3C%2FP%3E%3CP%3E-%20View%2C%20edit%20and%20reset%20the%20authentication%20methods%20for%20users%20in%20AAD.(including%20MFA)%3C%2FP%3E%3CP%3EBut%20for%20other%20tasks%20like%20enable%2Fdisable%20OATH%20Tokens%20you%20still%20need%20a%20member%20of%20the%20Global%20Administrator%20role.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECristian%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-812271%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-812271%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20this%20is%20something%20that%20is%20sorely%20missing%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20be%20able%20to%20grant%20permissions%20for%20our%20Service%20Desk%20staff%20to%20be%20able%20to%20deploy%20OATH%20tokens.%20There's%20no%20way%20that%20I%20want%20to%20give%20them%20Global%20Administrator%20just%20for%20that!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20further%20updates%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Cristian Vergara
Cristian Vergara
Occasional Contributor

‎01-22-2019 12:15 PM

‎01-22-2019 12:15 PM

Delegate Azure AD MFA administration

Hello community

 

I would like to have your feedback as we are currently looking to delegate some tasks under Azure MFA like disable users and upload OATH Tokens.

Currently the least privileged role to perform this actions is a Global Administrator account, I was checking the Azure Roadmap and I couldn't find details to confirm if this feature is planned to be rolled out.

Do you know if this is planned to arrive in the near future?, any ETA or to be part of a preview would be interesting.

Any comment is welcome!

 

Thanks.

 

Cristian

2,078 Views
1 Like
9 Replies
Reply
9 Replies
Highlighted
Steven Collier

‎01-22-2019 12:40 PM

‎01-22-2019 12:40 PM

Re: Delegate Azure AD MFA administration

If you require MFA via a conditional access policy you can define included and excluded groups, then delegate the management of those groups. We also use Flow to remove people from an exclude group each night so they only get 1 days access to get themselves back.

1 Like
Reply
Vasil Michev

‎01-22-2019 11:29 PM

‎01-22-2019 11:29 PM

Solution

Re: Delegate Azure AD MFA administration

A new API is coming (in Preview currently) that will finally allow us to delegate/automate Azure MFA management. No ETA has been shared yet though.

Best Response confirmed by Cristian Vergara (Occasional Contributor)
1 Like
Reply
Cristian Vergara

‎01-24-2019 09:08 AM

‎01-24-2019 09:08 AM

Re: Delegate Azure AD MFA administration

Thanks Steven

Really useful insights!, we have Conditional Access rules in place to apply MFA.

The thing is that some users are marked as Enabled under MFA, we need to change the status to Disabled in order to get CA rules apllied correctly; also some users have a Hardware token that needs to be assigned under AAD -MFA Interface.

We would like to delegate this tasks with a least privileged role than Global Admin.

Thanks!

Cristian

0 Likes
Reply
Cristian Vergara

‎01-24-2019 09:10 AM

‎01-24-2019 09:10 AM

Re: Delegate Azure AD MFA administration

Thanks Vasil!

Just to make sure I'm checking at the right place, any updates about this preview should be available at the Azure blog right?.

 

Best regards.

Cristian

0 Likes
Reply
JoeMcGlynn

‎03-01-2019 07:05 AM

‎03-01-2019 07:05 AM

Re: Delegate Azure AD MFA administration

Any update on the release date for this?

Was mentioned in December that it was in private preview with more new soon.

0 Likes
Reply
Marcin Trzciński

‎04-16-2019 10:53 PM

‎04-16-2019 10:53 PM

Re: Delegate Azure AD MFA administration

@Vasil Michev any updates? 

0 Likes
Reply
tweso

‎06-12-2019 11:46 AM

‎06-12-2019 11:46 AM

Re: Delegate Azure AD MFA administration

Any updates on this feature? @Vasil Michev 

0 Likes
Reply
Cristian Vergara

‎06-26-2019 11:28 AM - edited ‎06-26-2019 11:44 AM

‎06-26-2019 11:28 AM - edited ‎06-26-2019 11:44 AM

Re: Delegate Azure AD MFA administration

Hi @tweso

 

Today I found out that there's a new role called Authentication Administrator in preview.

This role allows you to perform several tasks like:

- View, edit and reset the authentication methods for users in AAD.(including MFA)

But for other tasks like enable/disable OATH Tokens you still need a member of the Global Administrator role.

 

Cheers!

 

Cristian 

0 Likes
Reply
DannyC_Gamma

‎08-20-2019 12:36 AM

‎08-20-2019 12:36 AM

Re: Delegate Azure AD MFA administration

Yeah, this is something that is sorely missing

 

I need to be able to grant permissions for our Service Desk staff to be able to deploy OATH tokens. There's no way that I want to give them Global Administrator just for that! :)

 

Any further updates @Vasil Michev ?

0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
Extentions Synchronization
 Deleted in Discussions on 11-13-2019
3 Replies
Stable version of Edge insider browser
 HotCakeX in Discussions on 10-12-2019
35 Replies
How to Prevent Teams from Auto-Launch
 chenrylee in Microsoft Teams on 06-27-2019
30 Replies
flashing a white screen while open new tab
 Deleted in Discussions on 10-05-2019
14 Replies
Security Community Webinars
 Valon_Kolica in Security, Privacy & Compliance on 10-22-2019
13 Replies