Forum Discussion

ChrisP1975's avatar
ChrisP1975
Copper Contributor
Feb 24, 2021

Office 365 Admin Role Needed for MFA

I would like to assign members of the help desk access to manage MFA for non-admin users.  I already assigned the Authentication admin role and this partially works.  Right now the help desk can go into AAD, switch to Authentication methods and do everything that is needed there.

 

However, as a Global Admin from the Microsoft 365 admin center I can see Users > Active Users > Multi-Factor Authentication and I can manage Manage multifactor authentication from the User itself.  These options are not available for the help desk.

 

Is there another role that I can use to grant access to the legacy MFA management portal?

Admin
security
    • Manlyboots907's avatar
      Manlyboots907
      Copper Contributor
      Aug 18, 2022
      So is the answer
      "You must be a global admin in order to do this?"
      • ChrisP1975's avatar
        ChrisP1975
        Copper Contributor
        Aug 19, 2022
        I am using Authentication Administrator to grant my help desk team access to make changes to MFA.
    • nomanmaryam343's avatar
      nomanmaryam343
      Copper Contributor
      Aug 11, 2024

      It looks like you’ve set up the Authentication admin role, which is a great start. To ensure full access to MFA management features, consider assigning the "Privileged Authentication Administrator" role. This role will grant the help desk the permissions needed to manage MFA settings directly from the Microsoft 365 admin center. For additional tech resources.

  • acerimeli's avatar
    acerimeli
    Copper Contributor
    Feb 27, 2023
    I found a solution to this.

    From this post:https://learn.microsoft.com/en-us/answers/questions/325505/allow-support-users-to-enable-mfa-for

    "To allow help desk users to enable per user MFA via Multi-factor Authentication Portal, you need to assign both directory roles mentioned below:

    Authentication Policy Administrator: This role will allow access to Multi-factor Authentication Portal but won't allow enabling/disabling per-user MFA.
    Privileged Authentication Administrator: This role allows enabling/disabling per-user MFA."
    • lspot's avatar
      lspot
      Copper Contributor
      Mar 06, 2023
      acerimeli's solution worked for me. Although you have to give them the path to the MFA portal. https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx
      The link doesn't show up at the top of the user list like I'm used to seeing as a global admin.
      The Privileged Authentication Administrator Role seems pretty innocuous, but curious what people think of the Authentication Policy Administrator. Is that just big words for can enable and disable MFA for anyone in the tenant?
    • Johann1575's avatar
      Johann1575
      Copper Contributor
      Dec 01, 2023
      This works perfectly. Just send them the link to the legacy MFA portal and they can enable/disable MFA, and also enable/disable "Require selected users to provide contact methods again". They can't "Delete all existing app passwords generated by the selected users" though. Only Global Admins it seems.
  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Oct 06, 2022

    ChrisP1975 

    The Authentication Administrator should do, for all general users.

    Use the Privileged  Authentication Administrator role for admin privileged accounts.

    • brianzx7's avatar
      brianzx7
      Copper Contributor
      Oct 06, 2022
      Nope, like I said, I gave my employee all of the admin privileges including the Authentication Administrator and he could not change the MFA settings. Once I gave him global admin, he was able to do that task.
      • mhikolet's avatar
        mhikolet
        Copper Contributor
        Dec 06, 2022

        brianzx7 

        I had the same issue and found this article.

        https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
        hope this explain this article will help.

        Usually, your helpdesk will not go to the portal of MFA Per user this is for global admin role, they will reset the MFA, via Azure under Users > Select Users > Authentication Method and click Require re-register multifactor authentication button.

        Your helpdesk needs a role, Global Reader Role - to access users and Authentication Admin Role so they can re-register the MFA.

         

        Cheers!!

  • philljones22's avatar
    philljones22
    Copper Contributor
    Apr 23, 2024

    To grant access to the legacy MFA management portal, you'll need to assign the Security Administrator role in addition to the Authentication Administrator role. The Security Administrator role typically includes permissions to manage Multi-Factor Authentication settings across the organization, including access to the legacy MFA management portal. This should allow members of the help desk to perform MFA management tasks from both the Azure app Active Directory portal and the legacy MFA management portal.

  • arslanshabir's avatar
    arslanshabir
    Copper Contributor
    Jun 11, 2024

    ChrisP1975 

    I checked that article and assigned the Authentication Administrator role to my limited admin. You don't need to give them the global reader role if you provide the Azure AD portal URL. However, I couldn't find where to set MFA to enabled or enforced in Azure AD, which seems to be what the original poster needs. I also want a limited admin to create a user, assign a license, and enable MFA so the user sets up MFA on their first login. Am I missing something in Azure AD? "Require re-register" and "revoke authentication" don't seem to change the user's Multi-Factor Auth Status to enabled.

  • arslanshabir's avatar
    arslanshabir
    Copper Contributor
    Jun 13, 2024

    To grant help desk members full access to manage MFA for non-admin users, consider assigning the "Privileged Authentication Administrator" role. This role provides more comprehensive MFA management capabilities. This enhanced access is similar to how PicsArt Pro unlocks advanced features for better creative control.

  • jhonnadyy's avatar
    jhonnadyy
    Copper Contributor
    Jul 20, 2024

    To let your help desk manage MFA for non-admin users through the legacy portal, assign them the Privileged Authentication Administrator role in addition to the Authentication Administrator role. This should give them the necessary permissions to access the MFA management options you see as a Global Admin. If that doesn’t fully work, try adding the User Administrator role as well. These roles combined should enable them to handle MFA settings more effectively.

  • asifjatoi132's avatar
    asifjatoi132
    Copper Contributor
    Jul 23, 2024
    Though it's an old post, but it helped a lot today in this matter. Thanks for the post.
  • gearsgen1's avatar
    gearsgen1
    Copper Contributor
    Aug 10, 2024

    It sounds like you’ve already set up the Authentication admin role, which is a good start. For full access to the MFA management features in the admin center, you might want to consider assigning the "Privileged Authentication Administrator" role. This role could give the help desk the necessary permissions to manage MFA settings directly from the Microsoft 365 admin center app.

  • mwiki8833's avatar
    mwiki8833
    Copper Contributor
    Aug 19, 2024

    To enable Multi-Factor Authentication (MFA) in Office 365, you'll need to have an admin role with the necessary permissions. Ensure that you have the correct Office 365 admin role assigned to manage and configure MFA settings effectively.

Share

Resources