Objective

This article explains how to delegate permissions in ADManager Plus so that help desk technicians can enable or manage multi-factor authentication (MFA) settings for Microsoft 365 users. This delegation ensures that routine MFA administration tasks can be handled by help desk staff without granting them full administrative privileges, maintaining security and improving operational efficiency.

Prerequisites 

• Administrator access to ADManager Plus to create, modify, and assign help desk technician roles.

• A Microsoft 365 tenant that's configured in ADManager Plus.

• Network connectivity and valid credentials to communicate with Microsoft 365 services.

Steps to follow

Step 1: Steps to delegate MFA settings for Microsoft 365 users

1. Log in to ADManager Plus as an administrator.

2. Navigate to Delegation > Help Desk Delegation > Help Desk Roles.

3. To configure permissions, either click Create New Role or select an existing role and click Edit.

4. Go to the Microsoft 365 tab, then expand Management > User Management.

5. Ensure the MFA Settings check box is selected. This grants technicians the ability to enable or manage MFA for Microsoft 365 users.
   

6. Click Save to apply the changes.
   

Step 2: Assign the help desk role to technicians

1. Navigate to Delegation > Help Desk Delegation > Help Desk Technicians.

2. Select the technician accounts that need permission to manage MFA. If the technician is not listed, click Add New Technician.

3. In the Select Help Desk Roles field, choose the role that includes MFA Settings under Microsoft 365.

4. Click Save to assign the role to the technician.

Tips 

1. Check the technician’s dashboard to ensure the Microsoft 365 MFA management options are visible.

2. Review Audit Reports to see that technician actions on MFA are logged correctly.
   

3. Optionally, disable the delegated permissions temporarily and confirm that the technician loses access, verifying that delegation is enforced.