You can grant users the ability to manage Office365/Azure 2FA/MFA policies and settings without having to assign them Global Admin permissions. This is useful when you have multiple IT staff managing users and wish to fine grain permissions without allowing the staff to have full Global Admin permission. The fewer Global Admins there are on a tenant, the more secure the tenant remains.

Go to the Entra Admin center and click on the user you wish to assign the 2FA/MFA delegation management function. Click on assigned roles and add an assignment.


From the roles list, add the role: Authentication Policy Administrator


Users with this role can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials.

Leave a comment

Your email address will not be published. Required fields are marked *

error: Sorry, copy/paste is disabled
Skip to content