Share via

Authentication methods and Authentication Administrator Role

RT-7199 511 Reputation points
2024-06-19T21:59:52.0233333+00:00

User assigned with Authentication Administrator role is not able to see or delete authentication methods. Are there any changes or limitations to this role for this.

You currently don't have permissions to manage this user's authentication methods

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,107 questions
0 comments
Accepted answer
  1. Raja Pothuraju 7,905 Reputation points Microsoft Vendor
    2024-06-20T20:49:04.91+00:00

    Hello @RT-7199,

    Thank you for posting your query on Microsoft Q&A.

    I understand that you have assigned the "Authentication Administrator" role to a user, which is the least privileged role to update authentication methods. However, when this user tries to change, delete, or view authentication methods for another user, they encounter an error stating, "You currently don't have permissions to manage this user's authentication methods."

    This can happen if the user falls under the following unsupported scenarios:

    • The user cannot change credentials or reset MFA for members and owners of a role-assignable group.
    • The user cannot change credentials or reset MFA for members who have an administrator role, including:
      • Groups Admin
      • Helpdesk Admin
      • Privileged Auth Admin
      • Privileged Role Admin
      • User (no admin role but member or owner of a role-assignable group)
      • User with a role scoped to a restricted management administrative unit
      • User Admin
      • All custom roles

    Here are two simple scenarios to illustrate this:

    1. Scenario 1:
      • User A has the Global Administrator role.
      • User B has the Authentication Administrator role.
      • When User B tries to make changes to User A's authentication methods, it won't allow them because User A falls under the unsupported scenario due to having the Global Administrator role.
    2. Scenario 2:
      • User A is included in a security group where an Entra role is assigned to that group.
      • User B has the Authentication Administrator role.
      • When User B tries to make changes to User A's authentication methods, it won't allow them because User A falls under the unsupported scenario of being a member or owner of a role-assignable group.

    Please check the above scenarios and verify if the test user falls under any unsupported scenarios as per Microsoft documentation.

    References:

    Hope this includes all the information that you were looking for.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Thanks,
    Raja Pothuraju.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 25,755 Reputation points MVP
    2024-06-19T23:09:56.9666667+00:00

    This should work. Verify that the role assignment is not scoped to an Administrative Unit and the corresponding users are outside of that scope

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2024-06-19T23:13:44.11+00:00

    Hi @RT-7199

    Thanks for reaching out to Microsoft Q&A.

    Authentication Administrator role is the minimum requirement to access the Authentication Methods blade as per this document: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userdevicesettings#add-authentication-methods-for-a-user

    Are you trying to access it via which portal, Entra or M365?

    Please, follow the steps from the document above via Entra ID portal to add / remove user's authentication methods and let me know if the error persists. In case it does, could you please send a couple of screenshots with the error and the user's roles?

    Thanks,

    Fabio

    0 comments
  3. RT-7199 511 Reputation points
    2024-06-22T05:19:51.61+00:00

    It looks like question get double posted as had i got an error when submitting it first time. And thanks both of you for reply.

    Although some roles are scoped by Administrative Unit, Authentication administrator was not and applies to directory. I tested as this by creating test accounts and as stated in the other thread, it seems to be effected by if the user is part of role assigned group. On removal of the user from such a group, user with admin role was able to update authentication methods. I am doing from portal.

    https://learn.microsoft.com/en-us/answers/questions/1708305/authentication-methods-and-authentication-administ?page=1&orderby=Helpful#answers

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.