Azure AD – New administration roles for managing domain name and authentication methods

Good news, you don’t need to be a global administrator to manage Multi Factor Authentication (MFA) or authentication methods.

A new role called Authentication Policy Admin allows you to delegate authentication methods management, covering MFA or password protection policies.

NOTE the legacy MFA setting is not available for the authentication policy admin role

Below is a comparison table between authentication administrator, privileged authentication administrator and authentication policy administrator permissions

Role User’s auth method Per user MFA MFA Settings Auth method policy Password protection policy
Authentication Admin

Yes for some users

Yes for some users

No

No

No

Privileged authentication admin

Yes for all users

Yes for all users

No

No

No

Authentication policy admin

No

No

Yes

Yes

Yes

image_thumb-391-2203617

An additional new role is also available to delegate domain name management, called Domain Name Administrator.

It allows you adding, validating and removing custom domain in Azure AD. It also includes the capability to set federation with on-premises.

image_thumb-392-3101330