01-22-2019 12:15 PM
01-22-2019 12:15 PM
I would like to have your feedback as we are currently looking to delegate some tasks under Azure MFA like disable users and upload OATH Tokens.
Currently the least privileged role to perform this actions is a Global Administrator account, I was checking the Azure Roadmap and I couldn't find details to confirm if this feature is planned to be rolled out.
Do you know if this is planned to arrive in the near future?, any ETA or to be part of a preview would be interesting.
Any comment is welcome!
01-22-2019 12:40 PM
If you require MFA via a conditional access policy you can define included and excluded groups, then delegate the management of those groups. We also use Flow to remove people from an exclude group each night so they only get 1 days access to get themselves back.
01-22-2019 11:29 PMSolution
A new API is coming (in Preview currently) that will finally allow us to delegate/automate Azure MFA management. No ETA has been shared yet though.
01-24-2019 09:08 AM
Really useful insights!, we have Conditional Access rules in place to apply MFA.
The thing is that some users are marked as Enabled under MFA, we need to change the status to Disabled in order to get CA rules apllied correctly; also some users have a Hardware token that needs to be assigned under AAD -MFA Interface.
We would like to delegate this tasks with a least privileged role than Global Admin.
01-24-2019 09:10 AM
Just to make sure I'm checking at the right place, any updates about this preview should be available at the Azure blog right?.
03-01-2019 07:05 AM
Any update on the release date for this?
Was mentioned in December that it was in private preview with more new soon.
06-26-2019 11:28 AM - edited 06-26-2019 11:44 AM
Today I found out that there's a new role called Authentication Administrator in preview.
This role allows you to perform several tasks like:
- View, edit and reset the authentication methods for users in AAD.(including MFA)
But for other tasks like enable/disable OATH Tokens you still need a member of the Global Administrator role.
08-20-2019 12:36 AM
Yeah, this is something that is sorely missing
I need to be able to grant permissions for our Service Desk staff to be able to deploy OATH tokens. There's no way that I want to give them Global Administrator just for that! :)
Any further updates @Vasil Michev ?
by Alex Simons (AZURE) on April 30, 2020
by Sue Bohn on April 15, 2020