Azure AD Users MFA Settings - Global Admins only ?

Jammedherbs 21 Reputation points
2019-12-04T13:31:59.643+00:00

Hi,

Am I right in believing that only GAs can modify MFA settings for users ?

I tried experimenting with some of the recently added roles, but still couldn't find one that gave the appropriate rights.

Thanks...

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,876 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Moamen Hany 1,091 Reputation points
    2020-08-08T00:16:56.84+00:00

    You can manage it automatically by enable conditional access policy.

    https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#authentication-administrator

    Please do not forget to "Accept the answer" and Upvote on the post that helps you, this can be beneficial to other community members.
    http://www.moamenhany.com

    3 people found this answer helpful.
    0 comments
  2. Vasil Michev 71,621 Reputation points MVP
    2019-12-04T13:36:35.637+00:00

    Yup, global admins. Authentication admins can reset MFA details for regular, but not change them: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#authentication-administrator
    Privileged auth admins can do the same, for any user.

    We should eventually get a role or API permission that allows this, but for the moment you need GA.

    2 people found this answer helpful.
  3. Zein ELnashar 121 Reputation points
    2020-08-08T12:30:06.68+00:00
    0 comments