what role is now required to enable/enforce MFA on user by user basis?
Posted by ubihelp702@reddit | sysadmin | View on Reddit | 14 comments
Our company has some lower level technicians that only have certain roles (not global admin, will list the roles we provided to lower techs below) and they used to be able to enable and enforce multifactor authentication on a user by user basis. Recently Microsoft migrated these pages to entry and and I guess broke the permissions/roles as my techs are reporting they can no longer do this anymore (failed to enable multifactor authentication, unexpected error when enabling multifactor authentication).
I attempted a microsoft support request and the first question he asked me was "you want help enabling mfa globally?" to which I replied no, and restated everything i put in the ticket which is basically the above. He replied with ok they need global admin. So i'm not sure if he fully understood or not and would not budge past telling me I now have to give all my lower level techs global admin which seems insane to me.
Does anyone know how i can fix this without giving global admin?
Heres the roles my techs have:
Admin center access:
Authentication Administrator
Exchange Administrator
License Administrator
Privileged Authentication Administrator
Security Reader
Sharepoint Administrator
Teams Administrator
User Administrator
Collaboration:
Exchange Administrator
Sharepoint Administrator
Teams Administrator
Identity:
Authentication Administrator
License Administrator
Privileged Authentication
User Administrator
Read-only:
Security Reader
Agreeable_Judge_3559@reddit
You could consider a PAM solution that can help by enabling granular role delegation, allowing your technicians to manage MFA without needing Global Admin rights. It provides just-in-time access, custom workflows for specific tasks like enabling MFA, and detailed activity logs for security and compliance. If the existing native roles don’t suffice, consider a solution like Securden Unified PAM to bridge the gap. (Disclosure: I work for Securden.)
WorkFoundMyOldAcct@reddit
Are you talking about your techs needing access to the “per-user MFA settings” options within EntraID?
Also, do you have Security Default settings enabled, or disabled?
anonymousITCoward@reddit
I thought MS was moving way from Security Defaults and going to Conditional Access, and that Per-User MFA was no longer suggested at all...
disclosure5@reddit
Two separate things there.
Per user MFA is no longer suggested and MS is phasing it out. The replacements are either Conditional Access or Security Defaults. CA requires licensing that a lot of orgs don't have, and Security Defaults are enabled by Default and MS encourage you to leave it enabled unless you know what you're doing with CA. Over all this is the best strategy I think. The majority of SMBs have no idea how to setup a CA and are better off just letting a Security Default offer good defaults.
anonymousITCoward@reddit
Ahh thanks for the clarification
ubihelp702@reddit (OP)
> Also, do you have Security Default settings enabled, or disabled?
Where would i check this?
iamMRmiagi@reddit
Entra > Identity > Properties > Security Defaults.
Security defaults is used if you don't have access to conditional access. https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults .
ubihelp702@reddit (OP)
i'm talking about going to this page: Per-user multifactor authentication - Microsoft Entra admin center or this page https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365 and then searching for the user, putting a check mark next to them, clicking enable MFA and then going back and clicking enforce. It is only working for me now on my user because I have global admin and the techs with the roles in my post get the error message.
iamMRmiagi@reddit
it's authentication policy admin - but that setting is moving to Entra. https://www.anoopcnair.com/per-user-multifactor-authentication-to-entra-id/ . Looks like Anoop has more up-to-date docs than msft. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates and https://learn.microsoft.com/en-us/entra/identity/monitoring-health/recommendation-turn-off-per-user-mfa
gubber-blump@reddit
The Microsoft rep is going by what's currently recommended. Per user MFA is actively being deprecated and I wouldn't really worry about making it work at this point. Start looking at conditional access to require all users complete MFA on sign in. You can make exclusions for a handful of accounts if needed. https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-mfa-strength
cantuse@reddit
I don't think anybody actually answered this question. You need a full on global admin account to have access to the "legacy" per-user MFA page.
Ref: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
So to answer your question, no.
disclosure5@reddit
Let me put this in modern terms:
Create a Conditional Access policy which requires MFA for members of a group. Make your tech a User Administrator so they can add to that group on demand. Low Level helpdesk probably already need User Administrator to take care of 90% of L1 tickets.
ubihelp702@reddit (OP)
the conditional access polity will enable and enforce MFA on anyone added to the group?
disclosure5@reddit
Yes.
Why is there anyone who doesn't have MFA enabled though?