Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
lady_mcse

Avatar / Picture

Senior Member
Registered:
Posts: 103
Reply with quote  #1 
Our organization has Multifactor authorization turned on for Office 365.  We encourage our employees to use the O365 mobile app for authentication when they have a company-issued phone.  But for those who don't have a corporate issued phone, or those who don't read our instructions carefully enough, they sometimes find themselves without a way to do that extra authentication, so they need their MFA reset. 

For clarification, here's the Microsoft Doc about the process I'm talking about: 
https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-manage-users-and-devices#comments-container

So the problem is, this process as documented requires Global Admin on the tenant to do it.  That means our helpdesk techs are taking calls that have a fairly simple and straight-forward resolution, but they have to forward to the O365 admins to finish. That's just absurd.  It's like saying you have to be a domain admin to reset a password.  

By all means, if someone knows of a workaround for this, I'm all ears.  I tried digging into what each of the Admin roles can do, hoping that if we could just give one or two helpdesk people some special role that wasn't quite global admin, maybe that would help.  But I wasn't able to find anything, only able to find complaints about how you have to be a global admin.  

So this is my public whine/complaint about this ... and now a request.  If you've got an account with Microsoft and some UserVoice votes to spare ... please go vote for this!  It's on page 1 now of the O365 admin improvement ... I'm hoping it'll bump up a bit more.  

https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/17429305-delegate-permissions-for-managing-mfa



0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 892
Reply with quote  #2 
Hahahahahaha

Azure Client to Site VPN needs local admin rights to run.....


I did find a way around that, but yes there are many gaps in the security fence.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
lady_mcse

Avatar / Picture

Senior Member
Registered:
Posts: 103
Reply with quote  #3 
Somewhat of an update, altho not much of one.  

I found another thread about MFA delegation on the Azure AD uservoice.  On there, someone representing the Azure AD team has said that the feature is on the roadmap.  But they aren't coming back to answer any more info on when.  I continue to not find it on the roadmap.  

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10072839-allow-the-user-admin-role-to-enable-disable-mfa-fo
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.