MFA portal access with out GA role

Question

MFA portal access with out GA role

Tayla Hentula 21

Is there a way the Support desk employees can enable and disable MFA for users in our environment without having the Global admin role?

Licence: Azure AD free

2 answers

Your answer

Answer 1

Marilee Turscak-MSFT 37,206 Microsoft Employee Moderator

If you want to set up MFA for non-admin users you can use the Authentication Administrator role. If you want to configure MFA for all users, including admin users, you need at least the Privileged Authentication Administrator role. You can read more information about these roles here: https://learn.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles

-

If this answer helps resolve your question, please remember to Accept the answer. This will help others in the community who might be searching for the same solution.

Tayla Hentula 21 Reputation points

2021-12-07T09:04:40.883+00:00

I have given the administrator the ' Privileged Authentication Administrator role', but they still cannot get to the MFA portal (account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification).

Currently only the global admins have access.

As we only have Azure AD free we don't have 'Conditional Access'
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2021-12-07T19:49:55.637+00:00

Thanks for bringing this up. Yes, using the portal you can only configure this with the Global Admin role. With PowerShell you can use the Privileged Authentication Admin role or Authentication Admin role (when configuring MFA for non-admin users), as James Tran mentioned. We are working on getting the documentation updated to reflect this as the difference could be stated more clearly.

Answer 2

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@Tayla Hentula
Thank you for your post!

Adding to what @Marilee Turscak-MSFT said, you can have a Security administrator, Conditional Access administrator, or Global administrator enable Security Defaults making it easier to help protect your organization from these attacks with preconfigured security settings:

Requiring all users to register for Azure AD Multi-Factor Authentication.
Requiring administrators to do multi-factor authentication.
Blocking legacy authentication protocols.
Requiring users to do multi-factor authentication when necessary.
Protecting privileged activities like access to the Azure portal.

Additional Link:
Azure AD Security Defaults
Conditional Access
Building a Conditional Access policy

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Tayla Hentula 21 Reputation points

2021-12-07T11:04:43.103+00:00

I have given the administrator the ' Privileged Authentication Administrator role', but they still cannot get to the MFA portal (account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification).

Currently only the global admins have access.

As we only have Azure AD free we don't have 'Conditional Access'
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-12-07T19:27:04.49+00:00

@Tayla Hentula
Thank you for following up with this!

I tried to access the Per-user MFA portal via the - Authentication Administrator, Privileged Authentication Administrator, and Authentication Policy Administrator roles which didn't work. However, I did notice that our Azure AD Built-in roles documentation for all three Admin roles mentions - "This role can't manage MFA settings in the legacy MFA management portal. The same functions can be accomplished using the Set-MsolUser commandlet Azure AD Powershell module.".

As of right now, only the Global Admin has access to the legacy MFA management portal (Per-user MFA portal). I've created a GitHub issue and PR to update our documentation.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-12-08T18:02:01.947+00:00

@Tayla Hentula
I just wanted to check in and see if you had any other questions, or if you had a chance to review mine and Marilee's responses?

Share via

MFA portal access with out GA role

2 answers

Your answer