re-register MFA

Question

re-register MFA

Rami Wurmbrand 45

Hello

For a regular account, I would like to give permission to execute "Require re-register multifactor authentication" for non-admin accounts .

Is there a suitable role?
If I create a new role for this operation, what permissions do I need to give to carry out this specific operation?

Thank you

mfa01

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Domooney-MSFT 2,606 Microsoft Employee Moderator

Hi @Rami Wurmbrand

We do have a legend here which outlines the Entra ID roles and which actions they can perform. Least privileged role for resetting a users MFA methods would be "Authentication Administrator" - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#authentication-administrator

Let me know if you have any further queries, I would be happy to help!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Rami Wurmbrand 45 Reputation points

2024-01-09T08:38:45.46+00:00
@Domooney-MSFT

You are right, after reading a bit it is indeed the "lowest" ROLE that allows this.
But still I don't understand why this ROLE can delete accounts, they have permission to do so

And if I continue the question from here - if I want this ROLE to "only" reset the MFA for accounts . What is the best way for them to do this?

Through the Microsoft Entra ID interface?

Through the 365 admin center interface?

Through a PowerShell command?

Rami
Rami Wurmbrand 45 Reputation points

2024-01-09T10:50:03.14+00:00

@Domooney-MSFT

If I continue the question from here - if I want this ROLE to "only" reset the MFA for accounts as needed. What is the best way for them to do this?

Through the Microsoft Entra ID interface?

Through the 365 admin center interface?

Through a PowerShell command?
Domooney-MSFT 2,606 Reputation points Microsoft Employee Moderator

2024-01-09T13:31:56.12+00:00

Hi @Rami Wurmbrand

Unfortunately there is no way at the moment to allow an admin to only perform MFA reset operation. The actions available in Custom Entra ID roles does not currently include the scope for "microsoft.directory/users/authenticationMethods" so it is not possible to create a custom role for this operation.

At the moment the least privileged role is Authentication Administrator. To get more control over this you can use PIM, and require an admin enters the reason for elevating their role to Authentication Administrator.

Do let me know if you have any further queries and I would be happy to help.

Kind Regards,

Donal
Rami Wurmbrand 45 Reputation points

2024-01-11T12:59:58.7033333+00:00

@Domooney-MSFT No further questions at this time :-)
Thank you !!!

Answer 2

Andreas Baumgarten 130.6K MVP Volunteer Moderator

Hi @Rami Wurmbrand ,

as far as I know there is no dedicated Azure Entra ID role permission available for triggering the "Require re-register multifactor authentication".

The built-in RBAC role User Administrator should be the able to get this done.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Rami Wurmbrand 45 Reputation points

2024-01-09T07:37:54.69+00:00

@Andreas Baumgarten
Thank you , but this is a ROLE with too many options that are not needed for this employee profile
Andreas Baumgarten 130.6K Reputation points MVP Volunteer Moderator

2024-01-09T07:51:06.74+00:00

Hi @Rami Wurmbrand ,

sorry.

Than please give it a try with the Authenticator Administrator role.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
Rami Wurmbrand 45 Reputation points

2024-01-09T08:40:27.1166667+00:00

@Andreas Baumgarten Yes , I Will

Thank you
Rami Wurmbrand 45 Reputation points

2024-01-09T08:42:16.6966667+00:00

@Andreas Baumgarten

Yes , I Will

Thank you

Share via

re-register MFA

1 additional answer

Your answer