Which admin role (s) are needed to manage a user's authentication methods?

Andre Fernandez 0 Reputation points
2024-10-22T18:53:28.5066667+00:00

I need my service desk team to have access to managing a user's authetication methods. When I add the service desk admins to the Authentication Administrator or Privileged Authentication Administrator, they still can't access a user's authetication methods section. I've seen other posts talking about needing global admin roles, and I do not want to give them that level of permissions. Shouldn't Privileged Authentication Administrator or Authentication Administrator be enough to access that section?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,116 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. BANDELA Siri Chandana 240 Reputation points Microsoft Vendor
    2024-10-23T07:03:03.73+00:00

    Hi @Andre Fernandez

    Thank you for posting your query on Microsoft Q&A.

    I understand that you have assigned Authentication Administrator and Privileged Authentication Administrator, but still service admins cannot access user's authentication methods section.

    To Know the exact issue can you please provide more information about the issue you are facing along with screenshot.

    As you have mentioned Global admin is a high level of permission, so you need not assign that role to service desk admins.

    Privileged Authentication Administrator and Authentication Administrator is enough to access user's authentication methods section.

    For reference:Screenshot 2024-10-23 094852Hope this helps. Do let us know if you have any further queries.


    If this answers your query, do click `Accept Answer` and `Yes` for was this answer helpful. And, if you have any further query do let us know.

    Thanks,

    B. Siri Chandana.


  2. Vasil Michev 108.1K Reputation points MVP
    2024-10-23T07:07:55.63+00:00

    Authentication Administrator should be sufficient indeed, with Privileged Authentication Administrator needed only for users with admin roles assigned. Make sure the service desk person reauthenticates after you've assigned the role, as it needs to be reflected in the admin token. If you are still having issues with the UI, try via PowerShell:

    Connect-MgGraph -Scopes UserAuthenticationMethod.Read.All
    Get-MgUserAuthenticationMethod -UserId (Get-MgUser -UserId user@domain.com).Id | fl
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.