05 November 2019

Delegate permissions for managing MFA - Reset MFA rights for the helpdesk

There is a request for this on uservoice :


To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.
Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.
But there is a way, it's called the "Authentication Administrator" role in AzureAD.
Adding a "Support" user to this role gives him the rights to reset MFA settings for users that have MFA setup, and non-admin accounts. 
Also they can't reset their own accounts.