Hello @William Liu,
Thank you for posting your query on Microsoft Q&A.
Based on your description, it seems you are looking for the least privilege role that allows helpdesk workers to manage users' authentication methods, including the ability to revoke and re-register multifactor authentication (MFA) methods.
The Authentication Administrator role is the least privilege role available for managing users' authentication methods. Please refer to the document linked below for more details:
Multifactor authentication
Users with this role can do the following:
- Set or reset any authentication method (including passwords) for non-administrators and some roles. For a list of the roles that an Authentication Administrator can read or update authentication methods, see Who can reset passwords.
- Require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke remember MFA on the device, which prompts for MFA on the next sign-in.
- Manage MFA settings in the legacy MFA management portal.
- Perform sensitive actions for some users. For more information, see Who can perform sensitive actions.
- Create and manage support tickets in Azure and the Microsoft 365 admin center.
If you are looking for another built-in role to manage users' authentication methods, the Authentication Administrator is currently the only least privilege built-in role available.
Custom roles are not an option because microsoft.directory/users/authenticationMethods/
permissions are not yet available for creating custom roles.
Assigning the Authentication Administrator role to helpdesk workers is the only option at this time.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.