I have a question about what role internal support needs to unlock a user account that was locked bu ID Protection due to a risk blocked sign-in or for a user that rejected MFA.

Currently, it looks like only a GA is able to do this but I obviously do not want to elevate all the support staff with this role. But, I have not seen a PIM eligible role that successfully allows this so I have to assume I am missing something.

Have asked my MSFT rep about this and that was no help :(