Home

Enable/enforce/disable MFA on a user requires Global admin, options?

%3CLINGO-SUB%20id%3D%22lingo-sub-69092%22%20slang%3D%22en-US%22%3EEnable%2Fenforce%2Fdisable%20MFA%20on%20a%20user%20requires%20Global%20admin%2C%20options%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69092%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnable%2Fenforce%2Fdisable%20MFA%20on%20a%20user%20requires%20Global%20admin.%20As%20I%20try%20to%20limit%20the%20number%20of%20Global%20Admins%2C%20and%20the%20use%20of%20that%20priviligee%20level%20I%20am%20looking%20for%20options.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20our%20access%20team%20to%20be%20able%20to%20handle%20MFA%20for%20normal%20users%2C%20not%20priviligeed%20and%20non%20synced%20accounts.%20The%20best%20option%20would%20be%20through%20groups%2C%20and%20either%20connected%20through%20a%20service%20or%20a%20service%20account.%20The%20goal%20is%20as%20automated%20as%20possible%2C%20but%20still%20with%20good%20enough%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20out%20there%20with%20solution%2C%20thoughts%20or%20the%20same%20challenge%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-69092%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-71785%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%2Fenforce%2Fdisable%20MFA%20on%20a%20user%20requires%20Global%20admin%2C%20options%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-71785%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20suggestion.%20Privileged%20Identity%20Management%20is%20an%20option%2C%20but%20also%20an%20additional%20cost%2C%20and%20does%20not%20really%20solve%20the%20automation%20part.%20Seems%20like%20most%20of%20it%20is%20solved%20in%20MFA%20server%2C%20but%20Azure%20MFA%20service%20is%20still%20very%20limited.%20Group%20membership%20to%20add%20MFA%20in%20Azure%20MFA%20service%20would%20have%20been%20magnificent.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69328%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%2Fenforce%2Fdisable%20MFA%20on%20a%20user%20requires%20Global%20admin%2C%20options%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69328%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20look%20into%20using%20Priviledged%20Identity%20Management%20instead.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Alex Wilhelmsen
New Contributor

Hi

 

Enable/enforce/disable MFA on a user requires Global admin. As I try to limit the number of Global Admins, and the use of that priviligee level I am looking for options.

 

I would like our access team to be able to handle MFA for normal users, not priviligeed and non synced accounts. The best option would be through groups, and either connected through a service or a service account. The goal is as automated as possible, but still with good enough security.

 

Anyone out there with solution, thoughts or the same challenge?

 

 

2 Replies

You can look into using Priviledged Identity Management instead.

Hi

 

Thanks for your suggestion. Privileged Identity Management is an option, but also an additional cost, and does not really solve the automation part. Seems like most of it is solved in MFA server, but Azure MFA service is still very limited. Group membership to add MFA in Azure MFA service would have been magnificent.

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies