cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Office 365 Admin Role Needed for MFA

ChrisP1975
Occasional Contributor

‎Feb 24 2021 08:28 AM

‎Feb 24 2021 08:28 AM

Office 365 Admin Role Needed for MFA

I would like to assign members of the help desk access to manage MFA for non-admin users.  I already assigned the Authentication admin role and this partially works.  Right now the help desk can go into AAD, switch to Authentication methods and do everything that is needed there.

 

However, as a Global Admin from the Microsoft 365 admin center I can see Users > Active Users > Multi-Factor Authentication and I can manage Manage multifactor authentication from the User itself.  These options are not available for the help desk.

 

Is there another role that I can use to grant access to the legacy MFA management portal?

Labels:
39K Views
2 Likes
11 Replies
Reply
11 Replies
best response confirmed by ChrisP1975 (Occasional Contributor)
Vasil Michev

‎Feb 24 2021 11:33 PM

‎Feb 24 2021 11:33 PM

Solution

Re: Office 365 Admin Role Needed for MFA

None of the "specialist" roles are able to manage users in the legacy MFA portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

3 Likes
Reply
Manlyboots907

‎Aug 18 2022 02:13 PM

‎Aug 18 2022 02:13 PM

Re: Office 365 Admin Role Needed for MFA

So is the answer
"You must be a global admin in order to do this?"
1 Like
Reply
ChrisP1975

‎Aug 19 2022 04:58 AM

‎Aug 19 2022 04:58 AM

Re: Office 365 Admin Role Needed for MFA

I am using Authentication Administrator to grant my help desk team access to make changes to MFA.
0 Likes
Reply
brianzx7

‎Oct 05 2022 08:34 AM

‎Oct 05 2022 08:34 AM

Re: Office 365 Admin Role Needed for MFA

@ChrisP1975 

 

I have given my employee every single admin right except for global admin and they can see the MFA page and see the users and whether they have MFA enabled or not but he cannot change anything. THe options are greyed out. 

I guess you have to give someone global admin to be able to make changes to MFA....

Is MS stupid or is it broken, Which is it?

1 Like
Reply
Kidd_Ip

‎Oct 05 2022 05:40 PM

‎Oct 05 2022 05:40 PM

Re: Office 365 Admin Role Needed for MFA

@ChrisP1975 

The Authentication Administrator should do, for all general users.

Use the Privileged  Authentication Administrator role for admin privileged accounts.

0 Likes
Reply
brianzx7

‎Oct 05 2022 07:44 PM

‎Oct 05 2022 07:44 PM

Re: Office 365 Admin Role Needed for MFA

Nope, like I said, I gave my employee all of the admin privileges including the Authentication Administrator and he could not change the MFA settings. Once I gave him global admin, he was able to do that task.
0 Likes
Reply
mhikolet

‎Dec 05 2022 11:38 PM

‎Dec 05 2022 11:38 PM

Re: Office 365 Admin Role Needed for MFA

@brianzx7 

I had the same issue and found this article.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
hope this explain this article will help.

Usually, your helpdesk will not go to the portal of MFA Per user this is for global admin role, they will reset the MFA, via Azure under Users > Select Users > Authentication Method and click Require re-register multifactor authentication button.

Your helpdesk needs a role, Global Reader Role - to access users and Authentication Admin Role so they can re-register the MFA.

 

Cheers!!

0 Likes
Reply
lspot

‎Jan 04 2023 02:45 PM

‎Jan 04 2023 02:45 PM

Re: Office 365 Admin Role Needed for MFA

@mhikolet 

I looked at that article and gave my limited admin the Authentication Administrator role. I don't think you have to give them global reader as long as you provide the url to the azure ad portal. I don't see anywhere in azure ad where you can set MFA to enabled or enforced. Which is what I believe the original poster is looking for. I would also like to be able to set up a limited admin to do this task. Create the user, license the user, enable MFA. Then when the user first logs in they have to set up MFA. Am I missing something in Azure AD? Require re-register nor revoke authentication appears to change the Multi-Factor Auth Status to enabled for the user.

2 Likes
Reply
GhostinHead

‎Jan 24 2023 07:58 AM

‎Jan 24 2023 07:58 AM

Re: Office 365 Admin Role Needed for MFA

@lspot I was all so trying to do this. So nothing short of God mode will do. Great job Microsoft. 

1 Like
Reply
acerimeli

‎Feb 27 2023 09:50 AM

‎Feb 27 2023 09:50 AM

Re: Office 365 Admin Role Needed for MFA

I found a solution to this.

From this post:https://learn.microsoft.com/en-us/answers/questions/325505/allow-support-users-to-enable-mfa-for

"To allow help desk users to enable per user MFA via Multi-factor Authentication Portal, you need to assign both directory roles mentioned below:

Authentication Policy Administrator: This role will allow access to Multi-factor Authentication Portal but won't allow enabling/disabling per-user MFA.
Privileged Authentication Administrator: This role allows enabling/disabling per-user MFA."
0 Likes
Reply
lspot

‎Mar 05 2023 08:49 PM

‎Mar 05 2023 08:49 PM

Re: Office 365 Admin Role Needed for MFA

acerimeli's solution worked for me. Although you have to give them the path to the MFA portal. https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx
The link doesn't show up at the top of the user list like I'm used to seeing as a global admin.
The Privileged Authentication Administrator Role seems pretty innocuous, but curious what people think of the Authentication Policy Administrator. Is that just big words for can enable and disable MFA for anyone in the tenant?
0 Likes
Reply