Feb 24 2021 08:28 AM
I would like to assign members of the help desk access to manage MFA for non-admin users. I already assigned the Authentication admin role and this partially works. Right now the help desk can go into AAD, switch to Authentication methods and do everything that is needed there.
However, as a Global Admin from the Microsoft 365 admin center I can see Users > Active Users > Multi-Factor Authentication and I can manage Manage multifactor authentication from the User itself. These options are not available for the help desk.
Is there another role that I can use to grant access to the legacy MFA management portal?
Feb 24 2021 11:33 PM
SolutionNone of the "specialist" roles are able to manage users in the legacy MFA portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
Aug 18 2022 02:13 PM
Aug 19 2022 04:58 AM
Oct 05 2022 08:34 AM
I have given my employee every single admin right except for global admin and they can see the MFA page and see the users and whether they have MFA enabled or not but he cannot change anything. THe options are greyed out.
I guess you have to give someone global admin to be able to make changes to MFA....
Is MS stupid or is it broken, Which is it?
Oct 05 2022 05:40 PM
The Authentication Administrator should do, for all general users.
Use the Privileged Authentication Administrator role for admin privileged accounts.
Oct 05 2022 07:44 PM
Dec 05 2022 11:38 PM
I had the same issue and found this article.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
hope this explain this article will help.
Usually, your helpdesk will not go to the portal of MFA Per user this is for global admin role, they will reset the MFA, via Azure under Users > Select Users > Authentication Method and click Require re-register multifactor authentication button.
Your helpdesk needs a role, Global Reader Role - to access users and Authentication Admin Role so they can re-register the MFA.
Cheers!!
Jan 04 2023 02:45 PM
I looked at that article and gave my limited admin the Authentication Administrator role. I don't think you have to give them global reader as long as you provide the url to the azure ad portal. I don't see anywhere in azure ad where you can set MFA to enabled or enforced. Which is what I believe the original poster is looking for. I would also like to be able to set up a limited admin to do this task. Create the user, license the user, enable MFA. Then when the user first logs in they have to set up MFA. Am I missing something in Azure AD? Require re-register nor revoke authentication appears to change the Multi-Factor Auth Status to enabled for the user.
Jan 24 2023 07:58 AM
@lspot I was all so trying to do this. So nothing short of God mode will do. Great job Microsoft.
Feb 27 2023 09:50 AM
Mar 05 2023 08:49 PM
Nov 30 2023 09:33 PM
Apr 23 2024 12:10 PM
To grant access to the legacy MFA management portal, you'll need to assign the Security Administrator role in addition to the Authentication Administrator role. The Security Administrator role typically includes permissions to manage Multi-Factor Authentication settings across the organization, including access to the legacy MFA management portal. This should allow members of the help desk to perform MFA management tasks from both the Azure app Active Directory portal and the legacy MFA management portal.
Jun 11 2024 01:22 PM
I checked that article and assigned the Authentication Administrator role to my limited admin. You don't need to give them the global reader role if you provide the Azure AD portal URL. However, I couldn't find where to set MFA to enabled or enforced in Azure AD, which seems to be what the original poster needs. I also want a limited admin to create a user, assign a license, and enable MFA so the user sets up MFA on their first login. Am I missing something in Azure AD? "Require re-register" and "revoke authentication" don't seem to change the user's Multi-Factor Auth Status to enabled.
Jun 13 2024 08:26 AM
To grant help desk members full access to manage MFA for non-admin users, consider assigning the "Privileged Authentication Administrator" role. This role provides more comprehensive MFA management capabilities. This enhanced access is similar to how PicsArt Pro unlocks advanced features for better creative control.
Jul 20 2024 04:17 AM
To let your help desk manage MFA for non-admin users through the legacy portal, assign them the Privileged Authentication Administrator role in addition to the Authentication Administrator role. This should give them the necessary permissions to access the MFA management options you see as a Global Admin. If that doesn’t fully work, try adding the User Administrator role as well. These roles combined should enable them to handle MFA settings more effectively.
Jul 23 2024 05:40 AM
Aug 10 2024 06:28 AM - edited Aug 10 2024 06:29 AM
It sounds like you’ve already set up the Authentication admin role, which is a good start. For full access to the MFA management features in the admin center, you might want to consider assigning the "Privileged Authentication Administrator" role. This role could give the help desk the necessary permissions to manage MFA settings directly from the Microsoft 365 admin center app.
Feb 24 2021 11:33 PM
SolutionNone of the "specialist" roles are able to manage users in the legacy MFA portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference