Which Role to assign MFA OATH tokens?

Question

I'd like my supporters to be able to work with the OATH tokens blade (https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/HardwareTokens/fromProviders/), i.e. upload CSVs and enable\disable devices.
Currently only global admin can do so and I haven't been able to figure out which role covers those rights or how to create a custom role for this particular feature. Of course, I can't give a bunch of L1 supporters Global Admin role just because of this simple routine task but also I have to delegate this eventually...

Thanks,
br
Chris

Answer 1

To enable or disable a device you use either a global administrator or cloud device administrator role in Azure AD. https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

Authentication administrator and Privileged authentication administrator roles can manage authentication methods but that doesn't seem to suit your particular needs.

Answer 2

I'm afraid Cloud Device Administrator doesn't work, it doesn't seem to cover those hardware tokens. At least not for write access, reading the settings is allowed.
Global admin does work, of course, so I'd assume there's a Role Permission for this. Question is which one...

Answer 3

You're right. For enabling or disabling a device you can be a global admin or cloud device admin but for assigning oath tokens you need to be a global admin.

However, as this related discussion mentions, at least you are able to do it in bulk and there is a feedback item open on user voice for this ability to be available to other users.

Answer 4

Is there already a case open? and is there a status update? We are having the same issue...