MFA block - unblock

Question

MFA block - unblock

Luc Tran 31

Hello AAD Gurus!

I've been trying to find an answer to this, but can't seem to get the right information. Is there a way to unblock MFA for a user account without having to go through the global admin? We want to delegate this option to the helpdesk, we tried resetting the password via our on-prem AD and it didn't seem to work, unless i'm wrong about that?

I also looked at this article, but maybe it doesn't apply
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock

Thanks in advance for any tips

Accepted answer

5 additional answers

Your answer

Answer 1

JamesTran-MSFT 36,906 Microsoft Employee Moderator

@Luc Tran
Thank you for your post!

If you're requiring MFA via Conditional Access Policy, you can reset/require re-registration for a users MFA settings, via the Azure Portal or PowerShell. As of right now, you can do this either with Global Admin permissions, Authentication Admin permissions (only works on non-admin users), or Privileged Authentication Administrator (can manage all users to include global admin).

When you mention "unblock" if you're referring to unblocking a user within AzureAD MFA settings under the Security tab, our documentation mentions that an Admin can unblock the user's account. Using our roles and permissions documentation, I'd recommend testing this option out with either the Authentication admin or Privileged Authentication Admin to see if this feature works with those two roles.

Require re-require MFA: Reset-MsolStrongAuthenticationMethodByUpn

Connect-MsolService -AzureEnvironment AzureCloud  
$User = Get-MSolUser -UserPrincipalName "******@company.onmicrosoft.com"  
$User.StrongAuthenticationMethods  
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "******@company.onmicrosoft.com"

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Luc Tran 31 Reputation points

2021-01-29T21:53:32.18+00:00

Thanks so much for the quick reply and information James. Yes, regarding the block in MFA - is it possible that the block be removed just with a password reset? or does it actually would still need to be manually unblocked even after the password reset. Thank you!
Luc Tran 31 Reputation points

2021-01-29T22:09:44.94+00:00

or would forcing reactivation of the mfa device combined with password reset unblock? thanks
Luc Tran 31 Reputation points

2021-01-30T00:55:13.79+00:00

Hey John, i found this request, and it looks like only global admins can unblock at the MFA

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10072839-allow-the-user-admin-role-to-enable-disable-mfa-fo
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2021-02-01T22:26:41.85+00:00

@Luc Tran
Thank you for sharing this user voice item! I tested this out and it does look like you can only unblock users if you have Global Admin permissions.

I tried to access MFA using both the Authentication Admin and Privileged Authentication Admin role, and I wasn't able to open the Security tab.

If you'd like to get this unblock feature implemented with other roles, I'd definitely recommend upvoting the user voice item.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
dondreak 6 Reputation points

2022-07-27T18:57:37.377+00:00

:) I have this same exact problem. Thank you. I'll share with our team.
Currently a member of the customer's Systems Management team who doesn't know what we do and thanks to Eduard Snowden, we now have to jump through hoops to help people.
This will really help

Answer 2

Tein Mac 41

Can We have a custom Role that ONLY Unblocks/Blocks users MFA?
We want to delegate this task to our HelpDesk without giving them the other permissions that come with the Privilege Auth Admin or other roles.

Mike Dunphy 5 Reputation points

2023-03-08T15:38:47.8666667+00:00

Yes! This! It's such a pain to always have global admins do this.
Jasper Goetze 11 Reputation points

2023-09-14T11:02:23.77+00:00

I agree, currently we have around 1 case of this per day and our servicedesk has to ask the global admins to unblock.

Answer 3

Mike Teachout 6

I found this link that may help some people. Looks like Authentication Policy Administrator should do it.

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/roles/delegate-by-task.md

JDas 0 Reputation points

2023-07-13T14:15:49.92+00:00

This is still an issue as we do not want to give the Help Desk policy admin rights to unblock a user. Anyone found a PowerShell command and a role with less permissions that can accomplish this task?

Answer 4

Luc Tran 31

Thanks so much for following up John and thank you for the suggestions.

Answer 5

Luc Tran 31

Hey James,

I think MS finally released a role for MFA access, but it's actually causing my admin some issues, it almost looks as if it's a read only mode, can't upload/import or delete tokens or activate them. Not sure if you have some suggestions for that.

thanks!

Share via

MFA block - unblock

5 additional answers

Your answer