question

NickDavenport-3847 avatar image
0 Votes"
NickDavenport-3847 asked JamesHamil-MSFT answered

MFA Token Authentication in Azure Without having to be SysAdmin

Is it possible within the MFA process to assign new MFA Tokens within your Azure environment without needing to be a full SysAdmin access user? (Or have global user access if you prefer the term)

For example, when a new colleague joins a global business, and a new laptop, phone, MFA Token etc. are required, these would go to the service desk.

Currently, i've been lead to believe that the MFA Token can only be authorised by a full Azure SysAdmin AD account. This means we're limited to the number of people who can authorise MFA tokens, usually the network infrastructure security team, but they already have a heavy workload, so i'm looking for a process to delegate the workload to the service desk.

Can you assign this process to someone with only read/write type level AD access within an Azure environment??.....I'm being told this is not possible!!

In order to achieve a process that allows the Service desk to manage the process of issuing MFA Tokens, is it possible to create a user AD group that can process a new MFA Token and assign it within Azure.

If we gave full access to additional service desk users outside of the network infrastructure security team, alarm bells would be ringing and that would be a risk of cataclysmic proportions.

Apologies if this doesn't make much sense, i'm new to MFA authentication process with the inclusion of tokens.

azure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi @NickDavenport-3847 , have you looked into custom roles? With custom roles you can create unique roles with unique permissions. This way you can give certain permissions that only global admins have to other users without making them admins. Please let me know if you have any questions or if I misunderstood the question.

If this answer helped you please mark it as "Verified" so other users may reference it.

Thank you,
James


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.