{"id":794,"date":"2023-08-03T16:54:08","date_gmt":"2023-08-03T08:54:08","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=794"},"modified":"2023-08-31T01:49:10","modified_gmt":"2023-08-30T17:49:10","slug":"794-2","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/794-2\/","title":{"rendered":"Understanding Azure Built-in Roles’ Impact on User Authentication Methods Blade"},"content":{"rendered":"\n

I recently encountered an interesting issue while attempting to manage authentication methods for different users. In this blog post, I will share the journey of my investigation, the discoveries, and the ultimate conclusion I reached.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n\n\n\n

Issue Description<\/h3>\n\n\n\n

User has been assigned the necessary role to manage user authentication methods, including resetting Microsoft MFA (Multi-Factor Authentication) and creating Temporary Access Passes (TAPs) for certain end-users. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

However, during our attempts to perform these operations, I encountered two distinct behaviors. Some users allowed me to carry out the required actions, while others presented these options as greyed out, preventing us from proceeding further.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n\n\n\n

Issue Analysis<\/h3>\n\n\n\n

Upon consulting the Microsoft documentation, I discovered that authentication administrators do not have full permissions for all users. Further research unveiled a chart illustrating scenarios where certain users are considered privileged target users, making them unmanageable by normal authentication administrators.<\/p>\n\n\n\n

Azure AD built-in roles – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I also noticed a key observation during the investigation. Users without any role assigned, like “test2” appeared to be the primary factor causing the peculiar behavior. Upon close examination, it became apparent that users assigned as members or owners in a group with the “Azure AD roles can be assigned to the group<\/strong>” option enabled were not manageable by non-privileged authentication administrators.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n\n\n\n

Action Performed<\/h3>\n\n\n\n

Intrigued to discover more, I delved further into the issue by inspecting the user-assigned groups. I stumbled upon a test group which happened to have the mentioned option enabled, and it included several affected users, including “test2”.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

During my investigation, I also learned that the “Azure AD roles can be assigned to group<\/strong>” settings are only configurable when creating a new group and cannot be edited after the group’s creation.
Use Azure AD groups to manage role assignments – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n

\n\n\n\n

Conclusion<\/h3>\n\n\n\n

Following a comprehensive investigation and analysis, I reached a critical conclusion. The behavior we were encountering was an expected one, rather than a system flaw. Users such as “test,” belonging to groups with the “Azure AD roles can be assigned to the group<\/strong>” option enabled, are considered privileged users. As a result, ordinary authentication administrators, including myself, lacked the required permissions to manage these individuals effectively.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

To resolve the issue, we arrived at two potential solutions.<\/strong> The first involves seeking assistance from a higher-privileged administrator to carry out the MFA operations on the affected users. Alternatively, we could consider assigning privileged authentication administrators to handle such tasks. However, the latter option comes with potential security concerns that need to be addressed and evaluated before implementation.<\/p>\n\n\n\n

In conclusion, this investigation taught me a valuable lesson about user authentication methods and the impact of group settings on administrative permissions. <\/p>\n","protected":false},"excerpt":{"rendered":"

I recently encountered an interesting issue while attempting to manage authentication methods for different users. In this blog post, I will share the journey of my investigation, the discoveries, and the ultimate conclusion I reached. Issue Description User has been assigned the necessary role to manage user authentication methods, including resetting Microsoft MFA (Multi-Factor Authentication) […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[32,12],"tags":[],"class_list":["post-794","post","type-post","status-publish","format-standard","hentry","category-aad-general","category-troubleshooting"],"yoast_head":"\nUnderstanding Azure Built-in Roles' Impact on User Authentication Methods Blade - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/794-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Understanding Azure Built-in Roles' Impact on User Authentication Methods Blade - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"I recently encountered an interesting issue while attempting to manage authentication methods for different users. In this blog post, I will share the journey of my investigation, the discoveries, and the ultimate conclusion I reached. Issue Description User has been assigned the necessary role to manage user authentication methods, including resetting Microsoft MFA (Multi-Factor Authentication) […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/794-2\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2023-08-03T08:54:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-30T17:49:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"Understanding Azure Built-in Roles’ Impact on User Authentication Methods Blade\",\"datePublished\":\"2023-08-03T08:54:08+00:00\",\"dateModified\":\"2023-08-30T17:49:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/\"},\"wordCount\":457,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png\",\"articleSection\":[\"AAD General\",\"Troubleshooting\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/794-2\/\",\"name\":\"Understanding Azure Built-in Roles' Impact on User Authentication Methods Blade - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png\",\"datePublished\":\"2023-08-03T08:54:08+00:00\",\"dateModified\":\"2023-08-30T17:49:10+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/794-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/#primaryimage\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png\",\"width\":1030,\"height\":658},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/794-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Understanding Azure Built-in Roles’ Impact on User Authentication Methods Blade\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Understanding Azure Built-in Roles' Impact on User Authentication Methods Blade - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/794-2\/","og_locale":"en_US","og_type":"article","og_title":"Understanding Azure Built-in Roles' Impact on User Authentication Methods Blade - \u6781\u7b80IT\uff5cSimpleIT","og_description":"I recently encountered an interesting issue while attempting to manage authentication methods for different users. In this blog post, I will share the journey of my investigation, the discoveries, and the ultimate conclusion I reached. Issue Description User has been assigned the necessary role to manage user authentication methods, including resetting Microsoft MFA (Multi-Factor Authentication) […]","og_url":"https:\/\/www.ruianding.com\/blog\/794-2\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2023-08-03T08:54:08+00:00","article_modified_time":"2023-08-30T17:49:10+00:00","og_image":[{"url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png","type":"","width":"","height":""}],"author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/794-2\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/794-2\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"Understanding Azure Built-in Roles’ Impact on User Authentication Methods Blade","datePublished":"2023-08-03T08:54:08+00:00","dateModified":"2023-08-30T17:49:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/794-2\/"},"wordCount":457,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/794-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png","articleSection":["AAD General","Troubleshooting"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/794-2\/","url":"https:\/\/www.ruianding.com\/blog\/794-2\/","name":"Understanding Azure Built-in Roles' Impact on User Authentication Methods Blade - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/794-2\/#primaryimage"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/794-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png","datePublished":"2023-08-03T08:54:08+00:00","dateModified":"2023-08-30T17:49:10+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/794-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/794-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/794-2\/#primaryimage","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/08\/image-17.png","width":1030,"height":658},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/794-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Understanding Azure Built-in Roles’ Impact on User Authentication Methods Blade"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=794"}],"version-history":[{"count":6,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/794\/revisions"}],"predecessor-version":[{"id":813,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/794\/revisions\/813"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}