SOLVED
Home

Delegate Azure AD MFA administration

%3CLINGO-SUB%20id%3D%22lingo-sub-323965%22%20slang%3D%22en-US%22%3EDelegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-323965%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20community%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20have%20your%20feedback%20as%20we%20are%20currently%20looking%20to%20delegate%20some%20tasks%20under%20Azure%20MFA%20like%20disable%20users%20and%20upload%20OATH%20Tokens.%3C%2FP%3E%3CP%3ECurrently%20the%20least%20privileged%20role%20to%20perform%20this%20actions%20is%20a%20Global%20Administrator%20account%2C%20I%20was%20checking%20the%20Azure%20Roadmap%20and%20I%20couldn't%20find%20details%20to%20confirm%20if%20this%20feature%20is%20planned%20to%20be%20rolled%20out.%3C%2FP%3E%3CP%3EDo%20you%20know%20if%20this%20is%20planned%20to%26nbsp%3Barrive%20in%20the%20near%20future%3F%2C%20any%20ETA%20or%20to%20be%20part%20of%20a%20preview%20would%20be%20interesting.%3C%2FP%3E%3CP%3EAny%20comment%20is%20welcome!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-323965%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edelegate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358975%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358975%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20update%20on%20the%20release%20date%20for%20this%3F%3C%2FP%3E%3CP%3EWas%20mentioned%20in%20December%20that%20it%20was%20in%20private%20preview%20with%20more%20new%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325101%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325101%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Vasil!%3C%2FP%3E%3CP%3EJust%20to%20make%20sure%20I'm%20checking%20at%20the%20right%20place%2C%20any%20updates%20about%20this%20preview%20should%20be%20available%20at%20the%20Azure%20blog%20right%3F.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards.%3C%2FP%3E%3CP%3ECristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325099%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325099%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Steven%3C%2FP%3E%3CP%3EReally%20useful%20insights!%2C%20we%20have%20Conditional%20Access%20rules%20in%20place%20to%20apply%20MFA.%3C%2FP%3E%3CP%3EThe%20thing%20is%20that%20some%20users%20are%20marked%20as%20Enabled%20under%20MFA%2C%20we%20need%20to%20change%20the%20status%20to%20Disabled%20in%20order%20to%20get%20CA%20rules%20apllied%20correctly%3B%20also%20some%20users%20have%20a%20Hardware%20token%20that%20needs%20to%20be%20assigned%20under%20AAD%20-MFA%20Interface.%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20delegate%20this%20tasks%20with%20a%20least%20privileged%20role%20than%20Global%20Admin.%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3ECristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324135%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324135%22%20slang%3D%22en-US%22%3E%3CP%3EA%20new%20API%20is%20coming%20(in%20Preview%20currently)%20that%20will%20finally%20allow%20us%20to%20delegate%2Fautomate%20Azure%20MFA%20management.%20No%20ETA%20has%20been%20shared%20yet%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-323985%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-323985%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20require%20MFA%20via%20a%20conditional%20access%20policy%20you%20can%20define%20included%20and%20excluded%20groups%2C%20then%20delegate%20the%20management%20of%20those%20groups.%20We%20also%20use%20Flow%20to%20remove%20people%20from%20an%20exclude%20group%20each%20night%20so%20they%20only%20get%201%20days%20access%20to%20get%20themselves%20back.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-464324%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-464324%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bany%20updates%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688326%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688326%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20updates%20on%20this%20feature%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722551%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722551%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F359136%22%20target%3D%22_blank%22%3E%40tweso%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EToday%20I%20found%20out%20that%20there's%20a%20new%20role%20called%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%23authentication-administrator%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAuthentication%20Administrator%3C%2FA%3E%20in%20preview.%3C%2FP%3E%3CP%3EThis%20role%20allows%20you%20to%20perform%20several%20tasks%20like%3A%3C%2FP%3E%3CP%3E-%20View%2C%20edit%20and%20reset%20the%20authentication%20methods%20for%20users%20in%20AAD.(including%20MFA)%3C%2FP%3E%3CP%3EBut%20for%20other%20tasks%20like%20enable%2Fdisable%20OATH%20Tokens%20you%20still%20need%20a%20member%20of%20the%20Global%20Administrator%20role.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECristian%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-812271%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20Azure%20AD%20MFA%20administration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-812271%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20this%20is%20something%20that%20is%20sorely%20missing%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20be%20able%20to%20grant%20permissions%20for%20our%20Service%20Desk%20staff%20to%20be%20able%20to%20deploy%20OATH%20tokens.%20There's%20no%20way%20that%20I%20want%20to%20give%20them%20Global%20Administrator%20just%20for%20that!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20further%20updates%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Cristian Vergara
Occasional Contributor

Hello community

 

I would like to have your feedback as we are currently looking to delegate some tasks under Azure MFA like disable users and upload OATH Tokens.

Currently the least privileged role to perform this actions is a Global Administrator account, I was checking the Azure Roadmap and I couldn't find details to confirm if this feature is planned to be rolled out.

Do you know if this is planned to arrive in the near future?, any ETA or to be part of a preview would be interesting.

Any comment is welcome!

 

Thanks.

 

Cristian

9 Replies

If you require MFA via a conditional access policy you can define included and excluded groups, then delegate the management of those groups. We also use Flow to remove people from an exclude group each night so they only get 1 days access to get themselves back.

Solution

A new API is coming (in Preview currently) that will finally allow us to delegate/automate Azure MFA management. No ETA has been shared yet though.

Highlighted

Thanks Steven

Really useful insights!, we have Conditional Access rules in place to apply MFA.

The thing is that some users are marked as Enabled under MFA, we need to change the status to Disabled in order to get CA rules apllied correctly; also some users have a Hardware token that needs to be assigned under AAD -MFA Interface.

We would like to delegate this tasks with a least privileged role than Global Admin.

Thanks!

Cristian

Thanks Vasil!

Just to make sure I'm checking at the right place, any updates about this preview should be available at the Azure blog right?.

 

Best regards.

Cristian

Any update on the release date for this?

Was mentioned in December that it was in private preview with more new soon.

@Vasil Michev any updates? 

Any updates on this feature? @Vasil Michev 

Hi @tweso

 

Today I found out that there's a new role called Authentication Administrator in preview.

This role allows you to perform several tasks like:

- View, edit and reset the authentication methods for users in AAD.(including MFA)

But for other tasks like enable/disable OATH Tokens you still need a member of the Global Administrator role.

 

Cheers!

 

Cristian 

Yeah, this is something that is sorely missing

 

I need to be able to grant permissions for our Service Desk staff to be able to deploy OATH tokens. There's no way that I want to give them Global Administrator just for that! :)

 

Any further updates @Vasil Michev ?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies