Hi @Tom CX · Thank you for reaching out.
To allow help desk users to enable per user MFA via Multi-factor Authentication Portal, you need to assign both directory roles mentioned below:
- Authentication Policy Administrator: This role will allow access to Multi-factor Authentication Portal but won't allow enabling/disabling per-user MFA.
- Privileged Authentication Administrator: This role allows enabling/disabling per-user MFA.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.