Allow helpdesk workers to reset/require re-registration multifactor authentication

William Liu 0 Reputation points
2024-08-20T21:37:56.6633333+00:00

Currently only members of the Authentication Administrators seem to be able to reset MFA methods using the Entra Admin Center. Usually just click on a user and select to Require re-registration.

What is needed is a way for helpdesk workers to have access to reset a specific group (or be restricted from resetting a specific group) without providing them full Authentication Administrator access. If Auth Admin has to be used, is there a way to create some restriction for what users can be reset?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,268 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jos van Schouten 81 Reputation points
    2024-08-20T22:02:11.49+00:00

    Administrative Units are what you are looking for: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles

    You would place the specific group of users (the users, not the group) in an Administrative Unit and delegate Authentication Administrator privileges to the helpdesk workers for that AU.


  2. Raja Pothuraju 4,705 Reputation points Microsoft Vendor
    2024-08-28T09:35:08.71+00:00

    Hello @William Liu,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it seems you are looking for the least privilege role that allows helpdesk workers to manage users' authentication methods, including the ability to revoke and re-register multifactor authentication (MFA) methods.

    The Authentication Administrator role is the least privilege role available for managing users' authentication methods. Please refer to the document linked below for more details:

    Multifactor authentication

    User's image

    Users with this role can do the following:

    • Set or reset any authentication method (including passwords) for non-administrators and some roles. For a list of the roles that an Authentication Administrator can read or update authentication methods, see Who can reset passwords.
    • Require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke remember MFA on the device, which prompts for MFA on the next sign-in.
    • Manage MFA settings in the legacy MFA management portal.
    • Perform sensitive actions for some users. For more information, see Who can perform sensitive actions.
    • Create and manage support tickets in Azure and the Microsoft 365 admin center.

    If you are looking for another built-in role to manage users' authentication methods, the Authentication Administrator is currently the only least privilege built-in role available.

    Custom roles are not an option because microsoft.directory/users/authenticationMethods/ permissions are not yet available for creating custom roles.

    Assigning the Authentication Administrator role to helpdesk workers is the only option at this time.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.