How to delegate permissions for managing MFA in Azure Active Directory

Posted on April 10, 2019 by | 7 Comments | 13,780 Views

There are many users voice requests  and also questions in different forums ,asking for ‘How to reset MFA’ ‘how to delete permissions for managing MFA’ ‘allow service desk to reset MFA ’ . Until today ,if user want to reconfigure their MFA for several reasons ,service desk or user will reach out to Global admin who can only reset the MFA for user.

Since the Global administrator accounts are very limited (recommended not to have more than 2-3) per tenant ,it would be difficult for GA’s to be available all the time to reset MFA for end-users.

Until today ,organizations found different ways to to delegate permissions to service desk with help of PowerShell scripts and others to reset MFA for users but now ,we don't need any custom solution.

Microsoft has introduced new role called ‘Privileged Authentication Administrator’ :  Users with this role can set or reset non-password credentials for all users, including global administrators.

Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next login of all users. Privileged Authentication Administrators can:

Force users to re-register against existing non-password credential (e.g. MFA, FIDO)
Revoke ‘remember MFA on the device’, prompting for MFA on the next login

In this blog post ,we will see, how to assign permissions for managing MFA in Azure Active Directory and how service desk can reset MFA for users?

How to assign permissions ?

Login to Azure Portal using Global Administrator account https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview 

image

Click on Azure Active Directory ,click on and Roles and administrators

On the right side you will see “Privileged authentication administrator “: Allowed to view, set and reset authentication method information for any user (admin or non-admin).

image

Following are the permissions that users get when you assign this role.



Role
permissions		 Description
microsoft.aad.directory/users/invalidateAllRefreshTokens Invalidate
all user refresh tokens in Azure Active Directory.
microsoft.aad.directory/users/strongAuthentication/update Update
users.strongAuthentication property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasks Read
and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasks Create
and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/read Read
basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasks Read
and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasks Create
and manage Office 365 support tickets.

image

Click on Add

image

You can only add individual users to this role but not AD security groups. So if you have many users ,you can either script it or add one by one.

Once the permissions are added, you will see the list of users . The permissions will be effective immediately to perform tasks.

image

With this ,we have completed assigning the permissions to reset MFA for users .

How does service desk or users can reset MFA ?

Service desk users can to go https://portal.azure.com or https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

Click on all users ,enter the user name or email address

image

Click on the user account

 image

Click on authentication methods on the left side

image

You will see 2 options here

Require MFA re-registration :Require this user to go through the MFA registration process again. This will not delete existing authentication methods but will require a user to validate them.

Revoke MFA sessions: Clear this user's remembered MFA sessions and require this user to perform MFA the next time it's required by policy on this device.

If you want to reset MFA for user ,click on re-registration ,you will see the operation complete on the top right corner.

image

With the permissions assignment ,it is also possible to find who reset the MFA for specific user:

How to find out who reset MFA for specific user ?

From Azure Active Directory ,all users ,search for user and click on Audit logs:

Under audit logs ,it list all activities that are initiated by user.

For MFA reset ,the activity name is Update user with category UserManagement and intiated by eswar koneti .This is the user who reset the MFA for the target user  based on the permissions that we provided above.

image

If you want to revoke the MFA sessions ,choose the other option .

This is great option to route all MFA reset options to service desk .

List of available roles can be found from https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

Related Posts

7 Responses to "How to delegate permissions for managing MFA in Azure Active Directory"

      1. James · Edit

        Hi, dont think you have answered Eirc's question: Understand the reset permissions are now delegated, however Enable or Disable MFA still requires GA action, please verify?

        Reply
        1. Eswar Koneti · Edit

          Hi James,
          To reset MFA ,you dont need GA rights. You can go with role that i described in the article .IF you want to disable/enable MFA ,you need GA because this is something related to security and not operational. so you are right.

          Thanks,
          Eswar

          Reply
          2. In Vino Veritas · Edit

            He did not answer anyone's questions here. I have CONFIRMED via a recent ticket: you MUST be a GA in order to enable/disable MFA or see the MFA portal at all. This article is fine, but over-written. Simply add users to the Privileged Auth group to allow a "Reset" but those users cannot enable/disable MFA. This must be done by a GA.

            Reply

Leave a Reply