Authentication methods and Authentication Administrator Role

Question

User with Authentication Administrator role is not able to view or delete assigned authentication methods. Are there any changes or limitations to this role for this work.

Privileged Authentication Admin is able to see or delete authentication methods.

And the definition is not available when I look to create a custom role.

Answer 1

Hello RT-7199,

Thanks for your question.

Yes, there are differences between the Privileged Authentication Administrator and the Authentication Administrator. The authentication Admin can manage authentication methods hence can view assigned methods. So you should be able to view with that permission.

Users with Authentication Administrator cannot do the following:

• Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
• Cannot manage MFA settings in the legacy MFA management portal or Hardware OATH tokens.

The specific differences are documented here.

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissionsf-reference#privileged-authentication-administrator

Regards,

Abiola

Answer 2

@akinbade abiola Thanks for the reply.

So does that mean if a user is a member of any role assignable group, Authentication Admin would not be able to reset/update their MFA.

And Is there a custom role that can be created that would allow this for our service desk, without assigning them Privileged Authentication Admin role.

Answer 3

More detailed explanation in other thread, started by error while posting.

https://learn.microsoft.com/en-us/answers/questions/1708290/authentication-methods-and-authentication-administ?page=1&orderby=helpful&comment=answer-1554455#newest-answer-comment