What roles does uploading MFA hardware tokens require?

Mahesh Jina 31 Reputation points
2022-12-28T10:12:06.367+00:00

Ive assigned a helpdesk user Authentication Policy Administrator plus Global Reader, and for safe measure, Authentication Administrator, Privileged and Authentication Administrator under PIM in order for the user to be able to upload and manage hardware tokens under Azure MFA. The user is able to view all users (Global Reader applies here) and upon activating Authentication Policy Administrator, the upload button becomes available, however she gets an error whenever trying to upload a new user saying "Something went wrong. Try again.". The helpdesk user is also unable to delete any user tokens. My guess is that this is access related because a global admin can do all of these tasks without issues. Any idea what additional roles are missing in order for the helpdesk user to manage MFA hardware tokens? It seems a bit silly to apply multiple roles to complete a single function, or am I doing this wrong?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
976 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-12-29T08:12:34.897+00:00

    Hi @Mahesh Jina ,

    Thanks for reaching out.

    I understand you are looking for least privileged role to upload and manage OATH Hardware tokens.

    Unfortunately, as of now no other role except Global Administrator Role is supported to manage OATH Hardware tokens.

    As this feature is still in preview and as per our preview programs, customers are evaluating and understanding the new feature before it become the part of standard service.

    I would request you to post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    Hope this will help.

    Thanks,
    Shweta

    --------------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.