Is it possible within the MFA process to assign new MFA Tokens within your Azure environment without needing to be a full SysAdmin access user? (Or have global user access if you prefer the term)
For example, when a new colleague joins a global business, and a new laptop, phone, MFA Token etc. are required, these would go to the service desk.
Currently, i've been lead to believe that the MFA Token can only be authorised by a full Azure SysAdmin AD account. This means we're limited to the number of people who can authorise MFA tokens, usually the network infrastructure security team, but they already have a heavy workload, so i'm looking for a process to delegate the workload to the service desk.
Can you assign this process to someone with only read/write type level AD access within an Azure environment??.....I'm being told this is not possible!!
In order to achieve a process that allows the Service desk to manage the process of issuing MFA Tokens, is it possible to create a user AD group that can process a new MFA Token and assign it within Azure.
If we gave full access to additional service desk users outside of the network infrastructure security team, alarm bells would be ringing and that would be a risk of cataclysmic proportions.
Apologies if this doesn't make much sense, i'm new to MFA authentication process with the inclusion of tokens.