Enable/enforce/disable MFA on a user requires Global admin, options?

%3CLINGO-SUB%20id%3D%22lingo-sub-69092%22%20slang%3D%22en-US%22%3EEnable%2Fenforce%2Fdisable%20MFA%20on%20a%20user%20requires%20Global%20admin%2C%20options%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69092%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnable%2Fenforce%2Fdisable%20MFA%20on%20a%20user%20requires%20Global%20admin.%20As%20I%20try%20to%20limit%20the%20number%20of%20Global%20Admins%2C%20and%20the%20use%20of%20that%20priviligee%20level%20I%20am%20looking%20for%20options.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20our%20access%20team%20to%20be%20able%20to%20handle%20MFA%20for%20normal%20users%2C%20not%20priviligeed%20and%20non%20synced%20accounts.%20The%20best%20option%20would%20be%20through%20groups%2C%20and%20either%20connected%20through%20a%20service%20or%20a%20service%20account.%20The%20goal%20is%20as%20automated%20as%20possible%2C%20but%20still%20with%20good%20enough%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20out%20there%20with%20solution%2C%20thoughts%20or%20the%20same%20challenge%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-69092%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-71785%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%2Fenforce%2Fdisable%20MFA%20on%20a%20user%20requires%20Global%20admin%2C%20options%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-71785%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20suggestion.%20Privileged%20Identity%20Management%20is%20an%20option%2C%20but%20also%20an%20additional%20cost%2C%20and%20does%20not%20really%20solve%20the%20automation%20part.%20Seems%20like%20most%20of%20it%20is%20solved%20in%20MFA%20server%2C%20but%20Azure%20MFA%20service%20is%20still%20very%20limited.%20Group%20membership%20to%20add%20MFA%20in%20Azure%20MFA%20service%20would%20have%20been%20magnificent.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69328%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%2Fenforce%2Fdisable%20MFA%20on%20a%20user%20requires%20Global%20admin%2C%20options%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69328%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20look%20into%20using%20Priviledged%20Identity%20Management%20instead.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi

 

Enable/enforce/disable MFA on a user requires Global admin. As I try to limit the number of Global Admins, and the use of that priviligee level I am looking for options.

 

I would like our access team to be able to handle MFA for normal users, not priviligeed and non synced accounts. The best option would be through groups, and either connected through a service or a service account. The goal is as automated as possible, but still with good enough security.

 

Anyone out there with solution, thoughts or the same challenge?

 

 

2 Replies
Highlighted

You can look into using Priviledged Identity Management instead.

Highlighted

Hi

 

Thanks for your suggestion. Privileged Identity Management is an option, but also an additional cost, and does not really solve the automation part. Seems like most of it is solved in MFA server, but Azure MFA service is still very limited. Group membership to add MFA in Azure MFA service would have been magnificent.