We’re implementing Azure MFA with all of our staff Occasionally one of them will hit the “Deny” button in an MFA request, and cause their account to be “blocked”. At the present, only our SysAdmins can unblock the account – often resulting in the user waiting a long time until their account is usable. We would like to delegate the ability to unblock accounts to our Service Desk, but my SysAdmins say that the only way to do it is by giving them the role of “Authentication Policy Administrator”, and this role would give them a lot of other permissions that are unnecessary for their jobs. Can we somehow provide them with a role that allows them to unblock users without giving them all the other Auth Policy Admin permissions? We have an AD group called “24hr bypass” or something along those lines. When users are added to this group, MFA is disabled for the duration of the current day. This is for any faculty or staff members who forget their phone or token at home, and are unable to login or get past the MFA prompt. I would like all of the Service Desk agents to have the ability to add users to this group, but my SysAdmins say that we need to assign them the role of “Group Administrator”, which allows them to add users to any group. Can we somehow provide the SD with permission to add users to individual groups? We don’t want them to have the ability to make changes to all groups, only a select few such as this one. -

Limited group management permissions

Allen Ryan 1

We’re implementing Azure MFA with all of our staff Occasionally one of them will hit the “Deny” button in an MFA request, and cause their account to be “blocked”. At the present, only our SysAdmins can unblock the account – often resulting in the user waiting a long time until their account is usable. We would like to delegate the ability to unblock accounts to our Service Desk, but my SysAdmins say that the only way to do it is by giving them the role of “Authentication Policy Administrator”, and this role would give them a lot of other permissions that are unnecessary for their jobs.

Can we somehow provide them with a role that allows them to unblock users without giving them all the other Auth Policy Admin permissions?

We have an AD group called “24hr bypass” or something along those lines. When users are added to this group, MFA is disabled for the duration of the current day. This is for any faculty or staff members who forget their phone or token at home, and are unable to login or get past the MFA prompt. I would like all of the Service Desk agents to have the ability to add users to this group, but my SysAdmins say that we need to assign them the role of “Group Administrator”, which allows them to add users to any group.

Can we somehow provide the SD with permission to add users to individual groups? We don’t want them to have the ability to make changes to all groups, only a select few such as this one.

Akash Majumder 1 Reputation point

2021-04-09T05:39:34.327+00:00

Hello Can you please tell me in a brief detailed scenario which service you need to allocate as per group
Allen Ryan 1 Reputation point

2021-04-09T05:44:46.567+00:00

Thanks for responding. I described the scenarios above as I understand them, so I'm thinking you're asking for something different. Could you please let me know? The above is all I know.
Akash Majumder 1 Reputation point

2021-04-09T05:53:56.243+00:00

I mean which product you are using, then what your needs for based on situation
for ref--- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

then you can tell me I'll try to help you out