How to grant permissions for resetting 2FA for O365 accounts
If you have the need to grant permissions for resetting 2FA for O365 accounts this guide should help.
Until recently, in order to reset 2FA permissions for O365 or Microsoft 365 users, your account had to be a member of the Global admin group. Finally, Microsoft has added the built-in role to grant non-global admins permissions for resetting 2FA for users without giving them additional unnecessary permissions.
Here’s how to do it:
Navigate to Azure Portal of your tenant. From the home screen navigate to Azure Active Directory.
In the left pane click on Roles and Administrators. In the right pane click on Privileged authentication administrator.
Click on Add assignments and add your users.
Please have in mind that this group membership grants users permission to view, set, and reset authentication method information for any user (admin or non-admin).
Here’s the full description:
Users with this role can view the current authentication method information and set or reset non-password credentials for all users, including global administrators. Privileged Authentication Administrators can force users to re-register against existing non-password credentials (e.g. MFA, FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next login of all users.
Hopefully, this tutorial will help you grant permission for resetting 2FA for O365 accounts. Comments are welcome!