![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 72%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGA%3C/text%3E%3C/svg%3E)
Hi Roger Roger
Custom roles in Microsoft Entra ID support a defined set of granular permissions for user management, but not all actions are available for custom roles. The ability to require re-registration for MFA and revoke MFA sessions is not currently exposed as a customizable permission for custom roles. These actions are included in the built-in Authentication Administrator or Privileged Authentication Administrator roles.
I would appreciate it if you could share your feedback on our Azure feedback portal: https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789
As of now, you can't create a custom role for your requirement; you need to use the built-in roles.
To configure PIM for Entra roles, you can follow this document: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-add-role-to-userHope this helps. Do let us know if you any further queries.
Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions.