Good news, you don’t need to be a global administrator to manage Multi Factor Authentication (MFA) or authentication methods.
A new role called Authentication Policy Admin allows you to delegate authentication methods management, covering MFA or password protection policies.
NOTE the legacy MFA setting is not available for the authentication policy admin role
Below is a comparison table between authentication administrator, privileged authentication administrator and authentication policy administrator permissions
Role | User’s auth method | Per user MFA | MFA Settings | Auth method policy | Password protection policy |
Authentication Admin |
Yes for some users |
Yes for some users |
No |
No |
No |
Privileged authentication admin |
Yes for all users |
Yes for all users |
No |
No |
No |
Authentication policy admin |
No |
No |
Yes |
Yes |
Yes |
An additional new role is also available to delegate domain name management, called Domain Name Administrator.
It allows you adding, validating and removing custom domain in Azure AD. It also includes the capability to set federation with on-premises.