question

EE-9037 avatar image
0 Votes"
EE-9037 asked LuDaiMSFT-0289 commented

Authentication Administrator cannot revoke MFA for non-admin users when non-admin users are assigned Intune Configuration Profile for Wifi

Hi,

I discovered an issue wherein if a user is assigned an Intune's Device Configuration Profile Wifi (using the Wifi Template), our Helpdesk staff who has Authentication Administrator role couldn't revoke MFA Session or Require re-register MFA in Azure for non-admin users. To fix it, I have to give the Helpdesk the "Privileged Authentication Administrator" role.

This started happening when I created the wifi profile and assigning users. Clearly, this is the cause of the issue but I don't understand the relation of it with MFA.

Is this a bug or someone could please explain the relationship or why this is happening? Thank you.
![96562-mfa1.png][1]


mem-intune-device-configurations
mfa1.png (22.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EE-9037 avatar image
0 Votes"
EE-9037 answered LuDaiMSFT-0289 commented

To follow up on this, Microsoft support was able to reproduce the behavior I had, and it was by design. They said in summary that assigning users a wifi profile on Intune gives users some elevated privilege to receive the profile. Hence, the users' MFA can only be revoked by the Privilege Authentication Admins and no longer my Authentication Administrators only.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EE-9037 Thanks for your feedback. It is very helpful. This is something that is easy to overlook.

Thanks a lot and have a nice day. : )

0 Votes 0 ·
LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 commented

@EE-9037 Thanks for posting in our Q&A.

For this issue, I haven't met it before. Based on my experience, wifi profile has no relationship to MFA. To clarify this issue, we appreciate your help to collect some information:
1.Please don't deploy the wifi profile to the user and try to revoke MFA to double confirm.
2.For couldn't revoke MFA, does it grey out or revoke failed? If it is revoked failed, please show the error message.

If there is any update, feel free to let us know.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EE-9037 I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.

0 Votes 0 ·

Hello,

Thanks for your time replying. I opened a ticket with Microsoft and they were able to duplicate the issue. I am still waiting for closure if this is by design.

For #1, I already confirmed that if the wifi profile is not assigned to the user, Authentication Administrators can Revoke MFA and Re-required MFA. As soon as I assign them to the Wifi profile group, those two options become unavailable (grayed out). I cannot apparently revoke MFA because it is not an allowed action for them. Nothing to fail or error message to show. I had to elevate their security to Privilege Authentication Administrators. There is obviously no relation to the two functions I could think of. This could be a bug or by design, we never knew what and why. I will keep this post updated once I have more information.

0 Votes 0 ·

@EE-9037 Thanks for your response. I agree with you that this is a very strange phenomenon. Let's look forward to the reply of the phone support.

Thanks and have a nice day. : )

0 Votes 0 ·