There is a request for this on uservoice :
https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/17429305-delegate-permissions-for-managing-mfa
To be able to delegate the permission of administering user account MFA setting like enable/disabled forcing reset of MFA code etc.
Currently the Global Admin permission is needed. It would be able very useful to delegate this to a service desk function without having to provide full admin access to the tenant.
But there is a way, it's called the "Authentication Administrator" role in AzureAD.
Adding a "Support" user to this role gives him the rights to reset MFA settings for users that have MFA setup, and non-admin accounts.
Also they can't reset their own accounts.
Nice
No comments:
Post a Comment