Forum Discussion
Solved
Office 365 Admin Role Needed for MFA
I would like to assign members of the help desk access to manage MFA for non-admin users. I already assigned the Authentication admin role and this partially works. Right now the help desk can go i...
None of the "specialist" roles are able to manage users in the legacy MFA portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
I found a solution to this.
From this post:https://learn.microsoft.com/en-us/answers/questions/325505/allow-support-users-to-enable-mfa-for
"To allow help desk users to enable per user MFA via Multi-factor Authentication Portal, you need to assign both directory roles mentioned below:
Authentication Policy Administrator: This role will allow access to Multi-factor Authentication Portal but won't allow enabling/disabling per-user MFA.
Privileged Authentication Administrator: This role allows enabling/disabling per-user MFA."
From this post:https://learn.microsoft.com/en-us/answers/questions/325505/allow-support-users-to-enable-mfa-for
"To allow help desk users to enable per user MFA via Multi-factor Authentication Portal, you need to assign both directory roles mentioned below:
Authentication Policy Administrator: This role will allow access to Multi-factor Authentication Portal but won't allow enabling/disabling per-user MFA.
Privileged Authentication Administrator: This role allows enabling/disabling per-user MFA."
acerimeli's solution worked for me. Although you have to give them the path to the MFA portal. https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx
The link doesn't show up at the top of the user list like I'm used to seeing as a global admin.
The Privileged Authentication Administrator Role seems pretty innocuous, but curious what people think of the Authentication Policy Administrator. Is that just big words for can enable and disable MFA for anyone in the tenant?
The link doesn't show up at the top of the user list like I'm used to seeing as a global admin.
The Privileged Authentication Administrator Role seems pretty innocuous, but curious what people think of the Authentication Policy Administrator. Is that just big words for can enable and disable MFA for anyone in the tenant?
