Allow support users to enable MFA for

Question

Hello,

I have a few colleagues working on the help desk. These must be given the rights to enable MFA in AAD for new accounts but also existing accounts. As far as I can see I need to make them Azure Global Admin. Of course I don't want that. The fewer rights someone has, the better.

I add the colleguas of the supportdesk to the "Privileged Authentication Administrator". But then still can't access this page ( https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx ) to enable MFA.

I hope you can help me.

Tom

Answer 1

Hi @Tom CX · Thank you for reaching out.

To allow help desk users to enable per user MFA via Multi-factor Authentication Portal, you need to assign both directory roles mentioned below:

• Authentication Policy Administrator: This role will allow access to Multi-factor Authentication Portal but won't allow enabling/disabling per-user MFA.
• Privileged Authentication Administrator: This role allows enabling/disabling per-user MFA.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Per AmanpreetSingh's post, I followed these steps: From AAD open All Users blade Searched for and selected user From the User's Profile page, I selected Assigned Roles From the Assigned Roles page, I clicked Add assignments and from the Directory Roles list selected both the Authentication Policy Administrator and the Privileged Authentication Administrator roles and clicked the Add button at the bottom. These steps allowed help desk team members who were previously unable to manage MFA for users immediately able to do so. There is an Authentication Administrator Role available, which won't work. Not sure if that might have been the problem for the OP or if something changed, but adding the roles as suggested by AmanpreetSingh worked.