enforcing MFA

Jennifer Moczulski 1 Reputation point
2021-01-26T18:54:28.583+00:00

60692-screen-shot-2021-01-26-at-14623-pm.png

I have users with global admin that are able to enable/enforce MFA for specific users in AD, but when other admins without this role try, they cannot (see screenshot). This particular admin trying does have Authentication Administrator and Priv. Authentication Admin roles assigned to them (but not global admin), as well as several other administrator roles. Is there one in particular that allows them to change this on users without assigning global admin? It also looks like if they click Manage User Settings on the same screen, that area is not changeable for them either.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,799 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 34,626 Reputation points Microsoft Employee
    2021-01-27T00:32:05.393+00:00

    Hi @Jennifer Moczulski ,

    Are they trying to enable the MFA for an admin user by chance? If that's the case and they are using the Authentication Administrator role, that may be why they are unable to enable it. If you want to configure MFA for non-admin users, you can use the Authentication Administrator role. If you want to configure MFA for all users including admin users, you can use the Privileged Authentication Administrator role.

    https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

    If you are using Azure AD Premium, another option is to enforce MFA on the user using Conditional Access, or leverage PIM to grant the elevated role temporarily.