Close Menu
    Facebook X (Twitter) Instagram
    Sunday, July 20
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Intune»Azure Active Directory»How to delegate permissions for managing MFA in Azure Active Directory

    How to delegate permissions for managing MFA in Azure Active Directory

    Eswar KonetiBy Eswar KonetiApril 10, 11:07 am4 Mins Read Azure Active Directory 61,838 Views
    Share
    Facebook Twitter LinkedIn Reddit

    There are many users voice requests  and also questions in different forums ,asking for ‘How to reset MFA’ ‘how to delete permissions for managing MFA’ ‘allow service desk to reset MFA ’ . Until today ,if user want to reconfigure their MFA for several reasons ,service desk or user will reach out to Global admin who can only reset the MFA for user.

    Since the Global administrator accounts are very limited (recommended not to have more than 2-3) per tenant ,it would be difficult for GA’s to be available all the time to reset MFA for end-users.

    Until today ,organizations found different ways to to delegate permissions to service desk with help of PowerShell scripts and others to reset MFA for users but now ,we don't need any custom solution.

    Microsoft has introduced new role called ‘Privileged Authentication Administrator’ :  Users with this role can set or reset non-password credentials for all users, including global administrators.

    Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next login of all users. Privileged Authentication Administrators can:

    Force users to re-register against existing non-password credential (e.g. MFA, FIDO)
    Revoke ‘remember MFA on the device’, prompting for MFA on the next login

    In this blog post ,we will see, how to assign permissions for managing MFA in Azure Active Directory and how service desk can reset MFA for users?

    How to assign permissions ?

    Login to Azure Portal using Global Administrator account https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview 

    image

    Click on Azure Active Directory ,click on and Roles and administrators

    On the right side you will see “Privileged authentication administrator “: Allowed to view, set and reset authentication method information for any user (admin or non-admin).

    image

    Following are the permissions that users get when you assign this role.



    Role
    permissions
    Description
    microsoft.aad.directory/users/invalidateAllRefreshTokens Invalidate
    all user refresh tokens in Azure Active Directory.
    microsoft.aad.directory/users/strongAuthentication/update Update
    users.strongAuthentication property in Azure Active Directory.
    microsoft.azure.serviceHealth/allEntities/allTasks Read
    and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasks Create
    and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/read Read
    basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasks Read
    and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasks Create
    and manage Office 365 support tickets.

    image

    Click on Add

    image

    You can only add individual users to this role but not AD security groups. So if you have many users ,you can either script it or add one by one.

    Once the permissions are added, you will see the list of users . The permissions will be effective immediately to perform tasks.

    image

    With this ,we have completed assigning the permissions to reset MFA for users .

    How does service desk or users can reset MFA ?

    Service desk users can to go https://portal.azure.com or https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

    Click on all users ,enter the user name or email address

    image

    Click on the user account

     image

    Click on authentication methods on the left side

    image

    You will see 2 options here

    Require MFA re-registration :Require this user to go through the MFA registration process again. This will not delete existing authentication methods but will require a user to validate them.

    Revoke MFA sessions: Clear this user's remembered MFA sessions and require this user to perform MFA the next time it's required by policy on this device.

    If you want to reset MFA for user ,click on re-registration ,you will see the operation complete on the top right corner.

    image

    With the permissions assignment ,it is also possible to find who reset the MFA for specific user:

    How to find out who reset MFA for specific user ?

    From Azure Active Directory ,all users ,search for user and click on Audit logs:

    Under audit logs ,it list all activities that are initiated by user.

    For MFA reset ,the activity name is Update user with category UserManagement and intiated by eswar koneti .This is the user who reset the MFA for the target user  based on the permissions that we provided above.

    image

    If you want to revoke the MFA sessions ,choose the other option .

    This is great option to route all MFA reset options to service desk .

    List of available roles can be found from https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

    azure Active Directory delete permissions for MFA invalidate refresh token Manage MFA reset Privileged Authentication Administrator re register MFA reset MFA strongAuthentication
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Automating Intune Deployment Rings Using Entra ID Dynamic Groups and Regex

    July 01, 10:31 pm

    Troubleshooting Windows Hello for Business PIN Reset Issues – Something went wrong

    March 06, 9:48 pm

    Configuration profiles Visibility in Intune – Unveiling Equivalent Tools to rsop and gpresult

    January 20, 1:49 pm

    10 Comments

    1. nobody on October 20, 2022 9:42 PM

      and what if you want your helpdesk to be able to reset MGF/passwords exept for admin accounts...?

      Reply
    2. Eric on June 5, 2019 2:48 PM

      Is the global admin still the only role that is permitted to enable and disable MFA? Or can these activities be delegated too?

      Reply
      • Eswar Koneti on June 5, 2019 3:00 PM

        Mfa reset permissions are now delegated to users with the newly created role as described in the blog post.

        Reply
        • James on June 13, 2019 5:31 PM

          Hi, dont think you have answered Eirc's question: Understand the reset permissions are now delegated, however Enable or Disable MFA still requires GA action, please verify?

          Reply
          • Eswar Koneti on June 25, 2019 10:54 PM

            Hi James,
            To reset MFA ,you dont need GA rights. You can go with role that i described in the article .IF you want to disable/enable MFA ,you need GA because this is something related to security and not operational. so you are right.

            Thanks,
            Eswar

            Reply
            • ginolard on July 14, 2020 6:42 PM

              Be careful. This role also grants the ability to reset user passwords. Including those of Global Administrators!

              Reply
            • In Vino Veritas on September 15, 2020 10:20 PM

              He did not answer anyone's questions here. I have CONFIRMED via a recent ticket: you MUST be a GA in order to enable/disable MFA or see the MFA portal at all. This article is fine, but over-written. Simply add users to the Privileged Auth group to allow a "Reset" but those users cannot enable/disable MFA. This must be done by a GA.

              Reply
              • Eswar Koneti on September 15, 2020 10:26 PM

                Hi,
                You dont need to be GA to reset the MFA for users. Please read the docs available in Microsoft https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#privileged-authentication-administrator for more information and i have done this for many customers by delegating to helpdesk to reset MFA.

                Thanks,
                Eswar

              • Dmitry on December 2, 2020 9:10 PM

                Eswar,

                I believe this conversation has gone into confusion due to the fact that there are two locations from which MFA is managed in AzureAD.

                I believe In Vino Veritas is referring to the MFA Portal which you can open by clicking on the "Multi-Factor Authentication" button within AzureAD Portal when in Users view:

                https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx

                The feature in question is the ability to select an AzureAD user from the list on the MFA portal and Enable/Disable/Enforce MFA status.
                This can be done through PowerShell but if there is a GUI link, why not use it?

                Privileged Authentication admins may "reset" and "force re-register" MFA within AzureAD portal, but the Enable/Disable/Enforce functions on the MFA portal are greyed out. So far it seems that only Global Admins can use that function.

                My question would be: is there a setting within RBAC that we could apply to a custom role which will enable the functions described on the MFA portal?

                Hopefully this opens up the question in a better light.

              • Eswar Koneti on December 12, 2020 10:40 AM

                Hi,
                Thanks for clearing this up. I know where you are coming from now. I should have mentioned clear in the post that, the delegation that i was referring to is more of user properties and re-register MFA. This is possible with the existing permissions that the blog post is talking about.
                If you are looking for something specific to MFA portal to enable or disable, i did not really check further on that portion with the help of current roles.
                I will look at it and update you if that is possible.

                Thanks,
                Eswar

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.