SOLVED

Office 365 Admin Role Needed for MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-2162855%22%20slang%3D%22en-US%22%3EOffice%20365%20Admin%20Role%20Needed%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2162855%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20assign%20members%20of%20the%20help%20desk%20access%20to%20manage%20MFA%20for%20non-admin%20users.%26nbsp%3B%20I%20already%20assigned%20the%26nbsp%3B%3CSTRONG%3EAuthentication%20admin%26nbsp%3B%3C%2FSTRONG%3Erole%20and%20this%20partially%20works.%26nbsp%3B%20Right%20now%20the%20help%20desk%20can%20go%20into%20AAD%2C%20switch%20to%26nbsp%3BAuthentication%20methods%20and%20do%20everything%20that%20is%20needed%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20as%20a%20Global%20Admin%20from%20the%26nbsp%3BMicrosoft%20365%20admin%20center%20I%20can%20see%20Users%20%26gt%3B%20Active%20Users%20%26gt%3B%20Multi-Factor%20Authentication%20and%20I%20can%20manage%26nbsp%3BManage%20multifactor%20authentication%20from%20the%20User%20itself.%26nbsp%3B%20These%20options%20are%20not%20available%20for%20the%20help%20desk.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20another%20role%20that%20I%20can%20use%20to%20grant%20access%20to%20the%26nbsp%3Blegacy%20MFA%20management%20portal%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2162855%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2164942%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Admin%20Role%20Needed%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2164942%22%20slang%3D%22en-US%22%3E%3CP%3ENone%20of%20the%20%22specialist%22%20roles%20are%20able%20to%20manage%20users%20in%20the%20legacy%20MFA%20portal%2C%20as%20detailed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Froles%2Fpermissions-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Froles%2Fpermissions-reference%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I would like to assign members of the help desk access to manage MFA for non-admin users.  I already assigned the Authentication admin role and this partially works.  Right now the help desk can go into AAD, switch to Authentication methods and do everything that is needed there.

 

However, as a Global Admin from the Microsoft 365 admin center I can see Users > Active Users > Multi-Factor Authentication and I can manage Manage multifactor authentication from the User itself.  These options are not available for the help desk.

 

Is there another role that I can use to grant access to the legacy MFA management portal?

1 Reply
best response confirmed by ChrisP1975 (Occasional Contributor)
Solution

None of the "specialist" roles are able to manage users in the legacy MFA portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference