question

TomCX-7047 avatar image
0 Votes"
TomCX-7047 asked amanpreetsingh-msft commented

Allow support users to enable MFA for

Hello,

I have a few colleagues working on the help desk. These must be given the rights to enable MFA in AAD for new accounts but also existing accounts. As far as I can see I need to make them Azure Global Admin. Of course I don't want that. The fewer rights someone has, the better.

I add the colleguas of the supportdesk to the "Privileged Authentication Administrator". But then still can't access this page ( https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx ) to enable MFA.

I hope you can help me.

Tom

azure-active-directoryazure-ad-multi-factor-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @TomCX-7047 · Thank you for reaching out.

To allow help desk users to enable per user MFA via Multi-factor Authentication Portal, you need to assign both directory roles mentioned below:

  • Authentication Policy Administrator: This role will allow access to Multi-factor Authentication Portal but won't allow enabling/disabling per-user MFA.

  • Privileged Authentication Administrator: This role allows enabling/disabling per-user MFA.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @TomCX-7047 · Just checking if you had a chance to test it out.

0 Votes 0 ·
TomCX-7047 avatar image TomCX-7047 amanpreetsingh-msft ·

Thank you for the reply. We added the users, but they still can't access the page.
I dubbel checked and the support users are added.

I found this on the internet: Privileged Authentication Administrator: This role is not currently capable of managing per-user MFA in the legacy MFA management portal. The same functions can be accomplished using the Set-MsolUser commandlet Azure AD Powershell module.

I'm not sure if this is still the case?

0 Votes 0 ·

Hi @TomCX-7047 · Sorry for delay in response. Kindly use the tagging feature so that I get email notification whenever I am tagged in the comment.

As per my testing, if the user is part of both Authentication Policy Administrator and Privileged Authentication Administrator roles, he should be able to update per-user MFA using the Multi-factor Authentication Portal. Make sure that you sign-out, close the browser and sign in again after assigning any new roles for those roles to take effect.

1 Vote 1 ·