25,160 questions
Priv Auth Admin can not manage per user MFA by design:
Priv Auth admins cant change authentication settings for regular users
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 1%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
Todd Porter
0
Reputation points
Hello,
I have been granted authentication admin and privileged auth admin by my global admin and I can no longer change the authentication settings of users (enforced, enabled, disabled) for anyone, including non-admin users. This happened after a recent change to the look of the website to match the overall aesthetic of entra so I was wondering if there was a permission change to these roles or if its just broken and Microsoft needs to fix it.
I can confirm I can still require reregister - I just cant require that users authenticate with the authenticator and have been raising these up to my global admins to do so.
Any help you can provide is apricated because I'm at my wits end here.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Authenticator
9,350 questions
3 answers
Sort by: Most helpful
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator2024-12-02T19:21:39.89+00:00 -
Todd Porter 0 Reputation points
2024-12-02T20:52:31.14+00:00 Hi Andy,
I just ran a test with my supervisor after she unassigned the admin license and it still failed to set the auth setting. Also this is the error message I receive when attempting.
Thanks.
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2024-12-02T20:55:02.7033333+00:00 Using what role?
-
Todd Porter 0 Reputation points
2024-12-02T20:59:59.0433333+00:00 I only have authentication admin now. Here is the list-
-
Todd Porter 0 Reputation points
2024-12-02T21:03:35.99+00:00 I only have Auth admin now. Here is the list-
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2024-12-02T21:03:37.03+00:00 Ok, and this worked before as Auth Admin? I use CA policies so I never mess with that.
-
Todd Porter 0 Reputation points
2024-12-02T21:10:57.9366667+00:00 This worked before with both auth admin licenses, Im not sure why it suddenly stopped working but we have 4 admins who are setup like I am and they have the same story.
Also Im not sure what CA policy means. Do you think its worth making a ms support ticket for?
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2024-12-02T21:52:38.9066667+00:00 CA policy = Conditional Access Policy
By the way, I can reproduce this.
-
Todd Porter 0 Reputation points
2024-12-03T00:47:22.05+00:00 Do you mean reproduce the issue that neither admin licenses allow me to change settings or the conditional access policy? I think we have and E3 subscription so I don't know if ca is in it or no. Sorry for the cluelessness, new to 365 administration.
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2024-12-03T12:05:38.9366667+00:00 I see the same error as you using the Auth Admin to change per user MFA.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator2024-12-09T09:17:19.1133333+00:00 Hello Todd Porter,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Todd Porter 0 Reputation points
2024-12-09T13:41:07.89+00:00 I did not, the issue still persists but I think its a microsoft issue at this point.
Sign in to comment -
-
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2024-12-11T10:21:38.9533333+00:00 Hello @Todd Porter ,
Thank you for reaching out Microsoft Q&A.I understand that you want to enable, disable, or enforce MFA for users, referred to as per-user MFA. You assigned the roles of Privileged Authentication Administrator and Authentication Administrator to users to change the status of per-user MFA (enable, disable, enforce). However, as stated in the documentation, Privileged Authentication Administrator cannot manage per-user MFA which was already said by Andy David - MVP in the above answer. Similarly, the Authentication Administrator role cannot manage per-user MFA (enable, disable, enforce) either. According to the document, this role can only manage MFA settings in the legacy MFA management portal, which is not managing per-user MFA. Refer to the image below for clarification.
I conducted a repro in my tenant and found that the Authentication Administrator role cannot manage per-user MFA (enable, disable, enforce). Instead, using the Authentication Policy Administrator as least privileged role allowed me to manage per-user MFA (enable, disable, enforce) successfully without any errors. for example, I tried to enable per-user-mfa for one of the user using Authentication Policy Administrator role and then when I check the per-user-mfa status of the user
still, it is in disabled state, but when I check with the per-user-mfa status with global admin the status is enabled.NOTE: With Authentication Policy Administrator role, you can enable,disable,Enforce the per-user-mfa but cannot see the status of the user after as mentioned in above image.
To enable,disable,enforce the per-user-MFA you can follow: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates#change-the-status-for-a-user
Hope this helps. Do let us know if you any further queries.
If this answers your query, do click
Accept AnswerandYesfor was this answer helpful. And, if you have any further query do let us know.Regards,
Goutam Pratti.-
Todd Porter 0 Reputation points
2024-12-11T14:42:45.0966667+00:00 So if authentication policy admin is the least privilege role that can do this, is it possible to add this capability to a custom role or to Authentication admin? I would just like to give my higher ups options if any others are available.
-
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2024-12-12T06:22:48.4666667+00:00 Hello @Todd Porter ,
Thank you for your prompt response!
As I already mentioned Authentication Admin cannot enable, disable, or enforce per-user MFA. The Authentication admin can only manage MFA settings through the legacy MFA management portal. Similarly, with a custom role, it is not possible to manage per-user MFA (enable, disable, enforce). However, the custom role allows granting fine-grained access.
NOTE: As of now only Global Administrator and Authentication Policy Administrator can manage per-user-mfa(enable,disable,enforce)
For additional information follow: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-user-permissions
Hope this helps. Do let us know if you any further queries.
If this answers your query, do click
Accept AnswerandYesfor the above answer helpful. And, if you have any further query do let us know.Regards,
Goutam Pratti.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 23%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESO%3C/text%3E%3C/svg%3E)
Serpas, Omar 0 Reputation points2024-12-12T03:06:58.9166667+00:00 You state that the Authentication Administrator however I have a team of 9 helpdesk each were given Authentication Administrator role granted via PIM near the beginning of this year and for months until last week they have each been able to manage per user MFA (Enable/Disable/Enforce). That is 10 MONTHS of it working flawlessly with the Legacy MFA portal. However now the UI of the per user mfa portal is changed and their ability to manage per user mfa gives a generic "Failed to Enabled Multifactor Authentication" Error.
What is needed to get this working again? Do I need to remove the Authentication Administrator role and grant them Authentication Policy Administrator role? According to this Auth Admin is still listed as the least privileged role that will allow per user mfa to work.
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task#multifactor-authenticationWhat is needed to let them change the status and see the updated status of MFA? is the Legacy MFA portal still available?
-
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2024-12-13T09:18:24.3366667+00:00 Hello @Serpas, Omar ,
Thank you for your prompt response.
When I created a repro in my tenant using the Authentication Administrator role, I encountered the error: "Failed to Enable Multifactor Authentication." However, when I used the Authentication Policy Administrator role instead, I was able to enable, disable, and enforce per-user MFA successfully.
To answer your question: Yes, you need to remove the Authentication Administrator role and assign the Authentication Policy Administrator role. Additionally, the MFA Legacy portal is still available and still you can enable, disable Per-User MFA even though the Migration is completed in your tenant.
For more information follow: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage#legacy-mfa-and-sspr-policies
Regards,
Goutam Pratti -
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2024-12-16T04:31:55.82+00:00 Hello @Serpas, Omar ,
We haven’t heard from you on the last response and was just checking back to see if it answered query :)
-
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2024-12-17T07:13:08.2866667+00:00 Hello @Serpas, Omar ,
We haven’t heard from you on the last response and was just checking back to see if it answered query :)
Sign in to comment -