What roles does uploading MFA hardware tokens require?

Question

Ive assigned a helpdesk user Authentication Policy Administrator plus Global Reader, and for safe measure, Authentication Administrator, Privileged and Authentication Administrator under PIM in order for the user to be able to upload and manage hardware tokens under Azure MFA. The user is able to view all users (Global Reader applies here) and upon activating Authentication Policy Administrator, the upload button becomes available, however she gets an error whenever trying to upload a new user saying "Something went wrong. Try again.". The helpdesk user is also unable to delete any user tokens. My guess is that this is access related because a global admin can do all of these tasks without issues. Any idea what additional roles are missing in order for the helpdesk user to manage MFA hardware tokens? It seems a bit silly to apply multiple roles to complete a single function, or am I doing this wrong?

Answer 1

Hi @Mahesh Jina ,

Thanks for reaching out.

I understand you are looking for least privileged role to upload and manage OATH Hardware tokens.

Unfortunately, as of now no other role except Global Administrator Role is supported to manage OATH Hardware tokens.

As this feature is still in preview and as per our preview programs, customers are evaluating and understanding the new feature before it become the part of standard service.

I would request you to post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

Hope this will help.

Thanks,
Shweta

--------------------------------------------------------

Please remember to "Accept Answer" if answer helped you.