There are many users voice requests and also questions in different forums ,asking for ‘How to reset MFA’ ‘how to delete permissions for managing MFA’ ‘allow service desk to reset MFA ’ . Until today ,if user want to reconfigure their MFA for several reasons ,service desk or user will reach out to Global admin who can only reset the MFA for user.
Since the Global administrator accounts are very limited (recommended not to have more than 2-3) per tenant ,it would be difficult for GA’s to be available all the time to reset MFA for end-users.
Until today ,organizations found different ways to to delegate permissions to service desk with help of PowerShell scripts and others to reset MFA for users but now ,we don't need any custom solution.
Microsoft has introduced new role called ‘Privileged Authentication Administrator’ : Users with this role can set or reset non-password credentials for all users, including global administrators.
Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next login of all users. Privileged Authentication Administrators can:
Force users to re-register against existing non-password credential (e.g. MFA, FIDO)
Revoke ‘remember MFA on the device’, prompting for MFA on the next login
In this blog post ,we will see, how to assign permissions for managing MFA in Azure Active Directory and how service desk can reset MFA for users?
How to assign permissions ?
Login to Azure Portal using Global Administrator account https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
Click on Azure Active Directory ,click on and Roles and administrators
On the right side you will see “Privileged authentication administrator “: Allowed to view, set and reset authentication method information for any user (admin or non-admin).
Following are the permissions that users get when you assign this role.
| Role permissions |
Description |
| microsoft.aad.directory/users/invalidateAllRefreshTokens | Invalidate all user refresh tokens in Azure Active Directory. |
| microsoft.aad.directory/users/strongAuthentication/update | Update users.strongAuthentication property in Azure Active Directory. |
| microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
| microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
| microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
| microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Office 365 Service Health. |
| microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Click on Add
You can only add individual users to this role but not AD security groups. So if you have many users ,you can either script it or add one by one.
Once the permissions are added, you will see the list of users . The permissions will be effective immediately to perform tasks.
With this ,we have completed assigning the permissions to reset MFA for users .
How does service desk or users can reset MFA ?
Service desk users can to go https://portal.azure.com or https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
Click on all users ,enter the user name or email address
Click on the user account
Click on authentication methods on the left side
You will see 2 options here
Require MFA re-registration :Require this user to go through the MFA registration process again. This will not delete existing authentication methods but will require a user to validate them.
Revoke MFA sessions: Clear this user's remembered MFA sessions and require this user to perform MFA the next time it's required by policy on this device.
If you want to reset MFA for user ,click on re-registration ,you will see the operation complete on the top right corner.
With the permissions assignment ,it is also possible to find who reset the MFA for specific user:
How to find out who reset MFA for specific user ?
From Azure Active Directory ,all users ,search for user and click on Audit logs:
Under audit logs ,it list all activities that are initiated by user.
For MFA reset ,the activity name is Update user with category UserManagement and intiated by eswar koneti .This is the user who reset the MFA for the target user based on the permissions that we provided above.
If you want to revoke the MFA sessions ,choose the other option .
This is great option to route all MFA reset options to service desk .
List of available roles can be found from https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
Is the global admin still the only role that is permitted to enable and disable MFA? Or can these activities be delegated too?
Mfa reset permissions are now delegated to users with the newly created role as described in the blog post.
Hi, dont think you have answered Eirc's question: Understand the reset permissions are now delegated, however Enable or Disable MFA still requires GA action, please verify?
Hi James,
To reset MFA ,you dont need GA rights. You can go with role that i described in the article .IF you want to disable/enable MFA ,you need GA because this is something related to security and not operational. so you are right.
Thanks,
Eswar
Be careful. This role also grants the ability to reset user passwords. Including those of Global Administrators!
He did not answer anyone's questions here. I have CONFIRMED via a recent ticket: you MUST be a GA in order to enable/disable MFA or see the MFA portal at all. This article is fine, but over-written. Simply add users to the Privileged Auth group to allow a "Reset" but those users cannot enable/disable MFA. This must be done by a GA.
Hi,
You dont need to be GA to reset the MFA for users. Please read the docs available in Microsoft https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#privileged-authentication-administrator for more information and i have done this for many customers by delegating to helpdesk to reset MFA.
Thanks,
Eswar
Eswar,
I believe this conversation has gone into confusion due to the fact that there are two locations from which MFA is managed in AzureAD.
I believe In Vino Veritas is referring to the MFA Portal which you can open by clicking on the "Multi-Factor Authentication" button within AzureAD Portal when in Users view:
https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx
The feature in question is the ability to select an AzureAD user from the list on the MFA portal and Enable/Disable/Enforce MFA status.
This can be done through PowerShell but if there is a GUI link, why not use it?
Privileged Authentication admins may "reset" and "force re-register" MFA within AzureAD portal, but the Enable/Disable/Enforce functions on the MFA portal are greyed out. So far it seems that only Global Admins can use that function.
My question would be: is there a setting within RBAC that we could apply to a custom role which will enable the functions described on the MFA portal?
Hopefully this opens up the question in a better light.
Hi,
Thanks for clearing this up. I know where you are coming from now. I should have mentioned clear in the post that, the delegation that i was referring to is more of user properties and re-register MFA. This is possible with the existing permissions that the blog post is talking about.
If you are looking for something specific to MFA portal to enable or disable, i did not really check further on that portion with the help of current roles.
I will look at it and update you if that is possible.
Thanks,
Eswar